A  CLOSER  LOOK: 

Service-oriented  architecture 


In  Part  2  of  our  series,  users  who  have  deployed  SOAs  see  them  as  a  more  powerful 
and  flexible  alternative  to  traditional  enterprise  application  integration.  PAGE  12. 
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Spyware  stoppers 
target  biz  networks 


■  BY  ELLEN  MESSMER 

Spyware  has  become  such  a  big 
problem  at  Scott  &  White  Hos¬ 
pital  that  the  organization  is  draw¬ 
ing  up  plans  to  drastically  restrict 
its  staff’s  Internet  access. 

“The  biggest  issue  we’ve  got  is 
spyware,  the  malware  that  comes 
down  through  subversive  Web 
pages,”  says  Steve  Raynes,IT  audit 
manager  for  the  Temple,  Texas, 
healthcare  company 

Spyware  not  only  clogs  PCs 
used  for  patient  care  but  some¬ 
times  redirects  Web  pages  to 
alternate  sites.  The  7,000-person 
staff  is  already  banned  from  ac¬ 


cessing  gambling  and  pornogra¬ 
phy  Web  sites  via  filtering  soft¬ 
ware,  and  Raynes  says  Scott  & 
White  is  contemplating  adding 
online  shopping  to  that  list  to 
avoid  spyware  infections. 

Raynes  is  “desperate”  for  anti¬ 
spyware  software  with  the  kind  of 
reporting,  automated  updates, 
group  policies,  quarantine  and 
remote  configuration  seen  in 
anti-virus  products.“I  can’t  find  it,” 
he  says. 

Until  recently  there  were  no  anti¬ 
spyware  products  designed  with 
large  networks  in  mind  —  only 
stand-alone  consumer  software  or 

See  Spyware,  page  14 
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10G  Ethernet  vendors 
look  to  stoke  demand 


■  BY  PHIL  HOCHMUTH 

Network  vendors  this  week  are 
expected  to  introduce  a  variety  of 
10G  Ethernet  wares  aimed  at  cus¬ 
tomers  seeking  to  bump  up  band¬ 
width  in  large  data  centers  and 
campus  backbones. 

Products  range  from  10G  Ether¬ 
net  core  switches  to  smaller 
“pizza  box”  10G  switches  and  net¬ 
work  interface  cards  (NIC)  that 
support  copper. 

Among  the  products  expected 
to  launch  are: 

•  Enterasys  Networks’  X-Series 
core  10G  Ethernet  switch,  based 
on  carrier  routing  technology  ac¬ 


quired  from  now-defunct  Tenor 
Networks. 

•  New  modules  from  Foundry 
Networks,  adding  eight-port  10G 
blades  and  CX4-based  10G  cop¬ 
per  links  to  the  vendor’s  core 
switch. 

•  An  all-copper  10GBase-CX4 
switch  from  Fujitsu,  for  linking 
large  servers  in  a  data  center. 

•  The  industry’s  first  copper  10G 
Ethernet  server  NIC  from  Chelsio 
Communications,  based  on  the 
lOGBase-CX-4  standard. 

One  organization  that  has  had 
10G  Ethernet  since  2002  is  CERN, 
the  European  Organization  for 
See  10G,  page  16 


10G-oing  down 

Experts  say  falling  prices 
will  drive  demand  for  10G 
Ethernet. 


Average  port  price 
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Practitioners  unlock  the  secrets 
of  a  growing  hobby  for  network  pros 


Amateur  lock  pickers  assure  us  they’re  only  looking  for  a  challenge. 


to  use  a  hammer  and  crowbar 
than  they  are  a  lock  pick,” 
says  Chick,  who  lives  and 
works  in  the  Orlando  area 
but  keeps  the  name  of  his 
employer  under  lock  and  key 
The  attraction  of  lock  picking 
for  IT  professionals  is  a  natural, 
according  to  Chick.“Finding  and 
locating  weak  spots  and  vulnera¬ 
bilities  are  what  computer  people 
enjoy  best,”  he  writes  in  the  1 14-page 
book,  which  also  defines  lock-picking 
terms  such  as  jigglers,  pins,  plugs,  ten¬ 
sion  wrenches  and  tumblers. 

See  Locks,  page  65 


■  BY  BOB  BROWN 


Steel  Bolt  Hacking  is  a  how-to  book  for  IT  personnel 
interested  in  the  fine  art  of  lock  picking. 


Douglas  Chick  swears  he  isn’t  try¬ 
ing  to  teach  anyone  to  break 
into  your  house. 

The  IS  director’s  self-published 
book, Steel  Bolt  Hacking ,  is  his 
way  to  share  his  knowledge 
about  and  cash  in  on  a  grow¬ 
ing  “sport”  among  computer 
and  network  professionals: 
lock  picking. 

“Thieves  are  more  inclined 
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It  takes  an  integrated  security  solution  to  make  sure  the 
right  people  have  the  right  access  at  the  right  time. 

eTrusf  Identity  and  Access  Management  Solutions 

These  days,  a  vital  aspect  of  security  management  is  providing  customized 
levels  of  access  for  countless  employees  and  partners  while  also  protecting 
your  customers  from  identity  theft.  That's  one  complicated  job-and  one  that 
can  be  made  much  easier  with  CA's  eTrust  Identity  and  Access  Management 
(1AM)  Solutions.  They  enhance  security  and  reduce  costs  by  automating 
processes  and  enabling  self-administration,  in  addition  to  providing  policy-based 
cross-platform  protection  for  web,  mainframe,  and  application  resources 
enterprise  wide.  To  find  out  how  CA's  1AM  solutions  can  improve  your  business, 
attend  one  of  our  workshops,  ca.com/etrust/workshop 
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assessment  management 


CLEAR  CHOICE 

TEST 


We  tested  eight  vulnerability  assessment  tools 
and  found  that  these  products  have  added 
significant  management  fea¬ 
tures  since  our  last  go-round, 

Page  48. 
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ISP  SUs:  Your  experience 

Do  your  ISPs  live  up  to  their  promises?  See  what  other  network  execs 
have  to  say  about  their  experiences,  then  add  your  own  in  our  forum. 

DocFinder:  4547 

Power  People 

Want  to  exercise  some  personal  power?  Tell  us  which  industry  players 
you  feel  qualify  for  our  annual  "50  most  powerful  people  in  the  network 
industry"  list.  DocFinder:  4034 

Network  World  Fusion  Radio 

Get  the  inside  scoop  on  hot  technology  issues,  such  as  inexpensive 
servers,  WiMAX,  network  security  design  and  more.  Stream  the  ses¬ 
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The  Wizards  answer  a  reader  who  asks:  "Would  an  802.11b/g 
network  be  adequate  for  limited  multimedia  (few  IP  cameras,  a 
few  users),  or  do  I  need  to  move  to  802.11a?" 
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Server  reboot  problem 

Help  Desk  Guru  Ron  Nutter  helps  a  readers  whose  new  Dell 
PowerEdge  server  keeps  rebooting  itself  for  no  apparent 
reason  DocFinder:  4551 
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Low  dollar  or  high  service? 

Columnist  James  Gaskin  gives  you  advice  on  choosing  a  Web 
host  and  avoiding  scams.  DocFinder:  4552 
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Columnist  Keith  Shaw  looks  at  why  Sonos  delayed  the  debut  of 
its  high-end  audio  system  and  why  it  was  the  right  move. 
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Aggressive  Defense 

No  corporation  is  exempt  from  attack  ■ —  protected  or 
not.  The  difference  between  safe  and  sorry?  Preparation. 
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More  stolen  source  woes  for  Cisco 

■  A  group  claiming  to  have  the  source  code  for  a  Cisco  firewall 
product  is  selling  the  code  on  a  Web  site  for  $24,000.  The  group, 
known  as  the  Source  Code  Club,  is  believed  to  be  a  loose  federa¬ 
tion  of  hackers.  The  SCC  says  it  is  offering  source  code  and  all  the 
files  necessary  to  create  a  usable  Cisco  PIX  6.3.1  image.  The  SCC 
previously  offered  source  code  to  other  products,  including 
Enterasys  Networks’  Dragon  intrusion-detection  system  product 
and  the  source  to  Napster  file-sharing  software.  While  experts  say 
there  is  no  way  to  prove  the  SCC’s  PIX  code  is  genuine,  the  incident 
is  the  second  of  its  type  for  Cisco  this  year.  In  May  a  hacker  group 
posted  chunks  of  Cisco  IOS  source  code  after  it  was  stolen  from  an 
unsecure  server  inside  the  vendor’s  network. 

Cisco:  Why  MAXP 

■  The  WiMAX  wireless  broadband  standard  remains  a  broadband  question  mark,  said 
Cisco  CTO  Charles  Giancarlo,  who  spoke  last  week  as  a  keynoter  at  the  Next  Generation 
Networks  conference  in  Boston.  He  told  the  audience  Cisco  sees  a  very  uncertain  future 
for  WiMAX,  which  has  been  touted  as  a  less-expensive  alternative  to  the  3G  cellular  net¬ 
works  being  carriers  are  rolling  out.  “Why  would  anyone  build  two  parallel  [wireless 
broadband]  networks?”  he  asked.“l  still  maintain  that  the  case  for  WiMAX  is  challenging 
at  the  moment.” On  the  other  hand,  he  said,ultrawideband  wireless  looks  more  promising 
as  a  very  short-range,  high-throughput  technology  to  handle  videostreams  or  even  data 
exchanges  between  rack-mounted  computers. 

Stone  leaves  No.  2  position  at  Novell 

■  Novell  Vice  Chairman  Chris  Stone,  presumed  heir  apparent  to  Chairman  and  CEO  Jack 
Messman,  has  left  the  company  to  pursue  other  opportunities,  according  to  a  statement 
from  Novell.  Stone  rejoined  Novell  in  March  2002  after  a  two-year  hiatus  as  CEO  of  supply- 
chain  management  company  Tilion.  He  is  credited  with  driving  Novell’s  Linux  strategy  No 
successor  has  been  named,  but  sources  indicate  that  Messman  will  rely  on  some  of  the 
talent  the  company  picked  up  from  the  acquisitions  of  Ximian  and  SuSE  to  lead  the  com¬ 
pany  “We  thank  Chris  for  his  service  to  Novell  over  the  past  two  and  one-half  years,” 
Messman  said  in  a  statement.“He  made  significant  contributions  to  changes  in  our  strate¬ 
gic  direction,  and  his  vision  and  energy  will  be  missed.  We  wish  him  well." 

Cisco  hit  with  patent  lawsuit 

■  A  Miami  Beach,  Fla.,  company  last  week  sued  Cisco  for  alleged  patent  infringement, 
charging  the  networking  giant  with  stealing  its  routing  technology  ConnecTel  says  Cisco 
is  using  without  compensation  a  set  of  technologies  that  ConnecTel  founder  Allen  Kaplan 
invented  in  the  1990s,  according  to  a  copy  of  the  complaint  the  company’s  attorney  pro¬ 
vided.  At  the  heart  of  the  complaint  is  an  intelligent  data-routing  system  that  can  choose 


§>  From  Google  to  Moogle.  If  you  love  the  Google  search  engine,  you 
might  really  like  what  lies  ahead,  according  to  Rod  Randall,  senior  managing  director 
at  venture  capital  firm  Vesbridge  Partners.  Speaking  at  last  week’s  Next  Generation 
Networks  Conference  in  Boston,  Randall  predicted  a  future  service  he  dubbed 
“Moogle”  that  will  bring  multimedia  search  engines  to  mobile  device  users. 


Voting  glitches.  U.S.  voters  calling  in  to  a  toll-free  number  reported 
more  than  1,100  separate  incidents  of  problems  with  electronic  voting  machines  and 
other  voting  technologies  by  late  last  Tuesday  during  the  nationwide  election.  In  more 
than  30  reported  cases,  when  voters  reviewed  their  choices  before  finalizing  them, 
an  electronic  voting  machine  indicated  they  had  voted  for  a  different  candidate. 
E-voting  backers  called  the  number  of  reported  problems  minor  in  the  context  of 
almost  50  million  voters  projected  to  use  machines.  Y 


Where’s  the  spam  vaccine?  Spam  has  risen  to  the  point  where 
it  is  now  a  "public  health  problem,"  says  Phillip  Hallam-Baker,  principal  scientist  at 
VeriSign.  Speaking  at  last  week’s  Next  Generation  Networks  Conference,  he  said: 
“There's  too  much  of  the  thinking,  ‘I've  got  a  problem.  How  do  I  stop  it  from  hurting 
me?’ . . .  It's  a  public  health  problem.  We  have  to  look  for  ways  to  stop  the  infection 
from  spreading  to  others." 


the  best  data  path  and  transmission  method  in  real  time,  based  on  multiple  factors,  includ¬ 
ing  bandwidth,  availability  security  and  the  user’s  priority  according  to  the  complaint. 
Kaplan  applied  for  patents  on  the  technology  in  1996,  says  Daniel  Perez,  an  attorney  at 
Winstead  Sechrest  &  Minick  PC.  in  Dallas.  Cisco  couldn’t  comment  on  the  suit  because  it 
has  not  yet  seen  the  complaint,  according  to  company  spokeswoman  Penny  Bruce. 

Verizon,  Nextel  settle  differences 

■  Verizon  Wireless  and  Nextel  Communications  last  week  said  they  have  reached  an 
agreement  to  resolve  all  their  legal  disputes.The  companies  are  dismissing  their  pending 
lawsuits  against  each  other  and  are  releasing  each  other  from  all  other  existing  claims. 
Nextel  also  agreed  to  forego  any  trademark  and  other  ownership  rights  to  the  phrases 
“Push  To  Talk, ”“PTE’ and  all  related  “PUSH”  names.  Both  parties  retain  the  rights  to  use  those 
terms  in  connection  with  their  services  marketing.  Nextel  sued  Verizon  in  September  2003, 
alleging  deceptive  marketing  of  its  PTT  service.  Nextel  took  issue  with  Verizon’s  claims  that 
its  PTT  service  was  “available  on  the  best,  most  reliable  network.”  Other  terms  of  the  set¬ 
tlement  were  not  disclosed. 


COMPEND1U  M 

Top  or  bottom? 

Jeremy  Zawodny  wonders:  Is  your  in-box  organized  so  you  see  new  messages  at  the 
bottom  of  the  screen  or  at  the  top?  This  “queue  vs.  stack”  question  generated  quite 

the  discussion.  Peruse  the  answers  at  www.nwfusion.com,  DocFinder:  4559. 


Now  that’s  an  absentee  ballot 

■  Space  station  astronaut  Leroy  Chiao  last  week  became  the  first  American  to  vote  for 
president  from  outer  space.  Chiao  cast  an  encrypted  ballot  via  e-mail  from  the  interna¬ 
tional  space  station  225  miles  above  earth. The  e-mail  traveled  down  via  satellite  link  to 
Mission  Control  in  Houston  and  then  to  the  Galveston  County  clerk’s  office  in  Texas,  where 
Chiao  resides.  Chiao  declined  to  name  the  candidate  for  whom  he  had  voted. 


The  Intel®  Itanium®  2  processor. 

It’s  all  about  performance. 

The  Intel  Itanium  2  processor  is 
engineered  for  data-intensiwe 

applications.  With  addressable  memory  up  to 
one  petabyte.  And  support  for  over  1,600 
of  today’s  leading  database  and  enterprise 

applications  and  tools.  All  at  reduced 
cost  over  RISC  solutions.  For  specs  and  case 
studies,  visit  intel.com/business. 


©2004  Intel  Corporation.  Intel.  Intel  Inside,  the  Intel  Inside  logo,  and  Itanium  are  trademarks  or  registered  trademarks  ot  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  All  rights  reserved. 
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BigFix  mixes  systems  and  patch  mgmt. 


■  BY  DENISE  DUBIE 

Patch  management  vendor  BigFix  this 
week  is  unveiling  software  that  will  let  cus¬ 
tomers  forward  application  and  software 
upgrades  to  distributed  systems  and  main¬ 
tain  an  inventory  of  desktops,  laptops  and 
servers  and  the  software  running  on  them. 

Its  upgraded  flagship  software  BigFix 
Enterprise  Suite  (BES)  5.0  uses  server 
and  agent  software  to  manage  devices.  A 
central  management  console  communi¬ 
cates  with  agents  distributed  on  man¬ 
aged  devices  to  collect  data,  perform 
inventory  and  vulnerability  scans,  and 
take  action,  if  needed. 

BigFix  also  provides  what  it  calls  Fixlets, 
which  are  small  messages  that  contain  the 
intelligence  to  detect  certain  problems, 
such  as  known  security  vulnerabilities  or 
misconfigured  software,  and  automate  the 
repair  of  those  errors.  BigFix  agents  contain 
any  number  of  Fixlets. 

BigFix  is  betting  that  users  will  be  able  to 
naturally  expand  the  use  of  BES  5.0  to  ad¬ 
dress  other  systems  management  tasks,  but 
despite  some  similarities  in  the  technolo¬ 
gies,  patch  management  and  systems  man¬ 
agement  tend  to  be  the  responsibility  of 
separate  IT  groups:  security  and  opera¬ 
tions,  respectively 


“BigFix  is  rolling  out  enterprise  features 
that  many  customers  might  already  be  get¬ 
ting  from  a  larger  systems  management 
vendor^  says  David  Friedlander,  a  senior 
analyst  at  Forrester  Research.  “Patch  man¬ 
agement  is  partly  software  distribution,  but 
it  is  also  partly  vulnerability  scans  and 
patch  identification,  most  of  which  is  done 
separately  from  traditional  desktop  or  sys¬ 
tems  management.” 

Patch  management  requires  customers 
to  identify  the  patches  to  be  distributed 
and  the  machines  requiring  the  patch. The 
process  involves  accessing  systems  for  vul¬ 
nerabilities,  testing  patches,  deploying 
patches  and  then  ensuring  the  patch  de¬ 
ployed  actually  removed  the  vulnerability 
from  the  machine  without  causing  perfor¬ 
mance  problems. 

Patch  management  products  from  BigFix 
and  competitors  Shavlik  Technologies  and 
PatchLink  provide  the  security  scans  and 
intelligence  needed  to  spot  vulnerabilities 
and  plug  them  quickly  Software  distribu¬ 
tion  products  from  Computer  Associates, 
Marimba  (now  part  of  BMC  Software)  and 
Novadigm  (now  owned  by  HP)  tackle 
application  upgrades,  distribution  and  roll¬ 
backs  when  problems  occur. 

The  additional  management  features 
could  benefit  customers  that  already 


use  BES. 

“Patch  management  is  what  gets  atten¬ 
tion,  but  in  reality  80%  of  what’s  needed  to 
do  patch  management  can  be  put  to  use 
for  other  IT  tasks,  such  as  application  up¬ 
grades  or  operating  system  migrations,” 
says  Fred  Broussard,  a  senior  analyst 
at  1DC. 

He  says  customers  with 


between  500  and  3,500  servers,  desktops 
and  laptops  —  that  don’t  already  have  a 
Microsoft,  CA  or  Altiris  product  in  place 
—  also  could  use  BES  5.0  to  send  out 
application  upgrades  to  desktops,  for 
example. 

Pricing  for  BES  5.0 
starts  at  $15.50,  per 
seat,  per  year.  ■ 


Getting  patching  right  A  debate 

On  Nov.  15,  Network  World  will  launch  an  all-week  online  debate  featuring  vendors 
from  three  sectors  involved  in  the  patching  puzzle:  pure-play  patch  management  players 
Shavlik  and  BigFix;  server  and  desktop  management  vendors  Altiris  and  Configuresoft; 
and  vendors  that  couple  vulnerability  scanning  with  patch  management,  Citadel  and 
Symantec. 

We’ll  launch  the  debate  with  vendors’  answers  to  questions  from  Network  World  Senior 
Editor  John  Fontana,  Senior  Writer  Denise  Dubie  and  guest  expert  Felicia  Nicastro, 
principal  consultant  with  International  Network  Services,  a  professional  services 
consultancy  On  Tuesday  Nov.  16,  we’ll  have  the  vendors  question  each  other,  and  then 
on  Nov.  1 7  we’ll  open  it  to  the  audience. 

virtual  showdown 

www.nwfusion.com,  DocFinder:  4621 


Storage  vendors  rolling  out  data-protection  wares 


■  BY  DENI  CONNOR 

A  half-dozen  storage  vendors  this  week  are  expected  to 
announce  enhancements  to  products  that  help  IT  profes¬ 
sionals  better  archive,  back  up  and  manage  data  on  Fibre 
Channel  and  IP  storage-area  networks. 

Included  among  the  scheduled  announcements  are: 

•  Exagrid’s  expected  debut  of  a  network-attached  storage 
(NAS)  system  and  management  software  that  automatical¬ 
ly  backs  up  data  and  provides  disaster-recovery  capability 

•  EMC’s  anticipated  introduction  of  a  version  of  its 
ApplicationXtender  software  that  adds  the  ability  to  retain 
and  retrieve  records  for  regulatory  compliance. 

•  Network  Appliance  plan  to  unveil  enhancements  to  its 
Data  OnTap  operating  system  that  make  it  easier  to  provi¬ 
sion  and  replicate  data,  and  increase  the  number  of  stor¬ 
age  arrays  to  which  its  gFiler  NAS  gateway  can  connect. 

•  Panasas’  expected  rollout  of  new  hardware  bundles 
and  enhancements  to  its  file  system  that  let  it  handle  larg¬ 
er  workloads  much  faster. 

•  EqualLogic  plans  to  announce  iSCSI-based  hardware 
appliances  and  software  to  protect  data  stored  on  them. 

•  CommVault’s  anticipated  shipment  of  a  new  version  of 
its  storage  resource  management  product  that  makes  it 
easier  to  recover  saved  data. 

IDC  says  IT  organizations  spent  $4.3 
billion  on  back-up,  archiving  and  repli¬ 
cation  software  last  year,  and  that  the 
market  will  grow  to  $6.58  billion  by 
2008,  which  would  represent  54%  of 
storage  software  expenditures. 

Exagrid,  a  start-up  funded  by 
Highland  Partners  and  Sigma  Partners, 


plans  to  introduce  a  system  called  Advanstor,  which  con¬ 
sist  of  a  NAS  appliance  called  InfiniteFiler  that  connects 
to  the  Gigabit  Ethernet  network  and  to  Serial  Advanced 
Technology  Attachment  (ATA)  storage  appliances  called 
GridDisks. 

When  IT  configures  the  system  and  assigns  storage 
capacity  to  servers,  the  system  automatically  sets  up  a  data- 
protection  policy  so  that  data  can  be  backed  up  or  repli¬ 
cated  locally  or  remotely  for  disaster  recovery  The  software 
also  can  be  used  to  migrate  data  from  expensive  primary 
storage  to  less-expensive  ATA-based  GridDisks  for  archiv¬ 
ing.  Prices  start  at  $62,000  for  a  two-node  InfiniteFiler  and  a 
lT-byte  GridDisk  system  with  software. 

EMC  plans  to  announce  Documentum  Application¬ 
Xtender  5.2  software, a  fixed  content  management  suite  for 
midsize  businesses.  ApplicationXtender  5.2  integrates 
Documentum’s  Department  of  Defense  5015.2  records 
management  package,  Documentum  AX  5.2,  and  the  abili¬ 
ty  to  retain  files  and  images  for  regulatory  compliance.The 
software  costs  $20,000  for  25  concurrent  users. 

Network  Appliance  is  expected  to  introduce  a  new  ver¬ 
sion  of  its  operating  system  for  its  file  servers.  Data  OnTap 
7G  includes  FlexVol  capability  which  improves  utilization 
by  gathering  physical  capacity  into  a  single  pool  of  storage, 
from  which  volumes  can  be  automatically  shrunk  or  ex¬ 
panded  to  accommodate  demand. 
Data  OnTap  7G  also  includes  the  ability 
to  copy  data  for  testing,  development  or 
simulation.  The  product  ships  with 
Network  Appliance  file  servers  at  no 
extra  charge. 

“Increasingly,  people  are  seeing  that 
the  ability  to  replicate  a  volume  has 


applications  far  beyond  protection,” says  Mike  Karp,  senior 
analyst  for  Enterprise  Management  Associates.  “You  can 
clone  a  volume  and  hand  it  off  as  a  test  bed  to  people 
doing  development  or  patching  a  Windows-based  system.” 

Further,  the  company’s  gFiler  NAS  gateway  now  can 
attach  to  HP  StorageWorks  XP  disk  arrays  and  IBM’s  Total- 
Storage  DS4000  series. 

Panasas  is  scheduled  to  announce  two  NAS  bundles  —  a 
5T-byte-capacity  bundle  called  Parallel  NAS  and  a4.5T-byte 
Scalable  NAS.  The  Parallel  NAS  bundle  consists  of 
DirectorBlade,  which  serves  as  a  gateway  between 
Unix/Linux  Network  File  System  (NFS)  and  Microsoft’s 
Common  Internet  File  System  (GIFS)  clients  and  the  com¬ 
pany’s  StorageBiades.  The  Scalable  NAS  consists  of  two 
DirectorBlades  and  supports  CIFS  and  NFS. 

Panasas  also  enhanced  its  file  system.  ActiveScale  File 
System  2.0  includes  enhanced  load  balancing  for  business 
continuity  record-locking  and  parallel  data  access  for  data 
backup  and  restoration. 

EqualLogic  plans  to  introduce  PeerStorage  iSCSI  appli¬ 
ances  designed  for  businesses  that  are  moving  from  direct- 
attached  storage  to  networked  storage.  The  appliances 
scale  from  1.75T  to  nearly  45T  bytes  of  Serial  ATA  storage, 
and  include  point-in-time  copy,  volume  cloning  and 
remote  replication  capability  for  fault  tolerance  and  disas¬ 
ter  recovery  They  are  priced  starting  at  $24,900. 

CommVault  is  expected  to  roll  out  policy-setting  fea¬ 
tures  for  its  QiNetix  storage  resource  management  soft¬ 
ware  that  lets  IT  tier  storage  by  placing  data  on  appropri¬ 
ate  storage  medium  based  on  its  value. The  new  version 
of  QiNetix  lets  IT  set  policies  that  automate  data  migra¬ 
tion  and  recovery. QiNetix  is  set  to  be  available  this  month 
priced  starts  at  $800.  ■ 
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Summer  blues  slow  Q3  venture  funds 


■  BY  CARA  GARRETSON 

Venture  capital  investments  in 
network  companies  and  other  IT 
vendors  dipped  during  the  third 
quarter,  a  traditionally  slow  peri¬ 
od  for  such  funding.  A  few  sweet 
spots  in  the  industry  continued 
to  attract  most  of  the  dollars. 

According  to  a 
special  slice  of  the 
data  reported  in 
the  MoneyTree  Sur¬ 
vey  by  Pricewater- 
houseCoopers, 

Thomson  Venture 
Economics  and  the 
National  Venture 
Capital  Association  done  for 
Network  World,  venture  capital¬ 
ists  made  304  investments  in  IT 
companies  totaling  $2  billion 
during  the  third  quarter.  This  is 
down  from  409  investments  tally¬ 
ing  $2.7  billion  in  the  second 
quarter  but  on  par  with  the  dol¬ 
lar  amount  of  investments  made 
in  2003’s  third  quarter. 

For  the  purposes  of  this  report, 
IT  companies  are  defined  as 
those  in  the  computer,  peripher¬ 
al,  IT  services,  networking  and 
related  equipment,  semiconduc¬ 
tor,  software  and  Internet  com¬ 
munications  sectors. 

Despite  the  third-quarter  dip, 


venture  funding  in  IT  companies 
for  2004  is  still  expected  to  meet 
or  exceed  the  $9.1  billion  invest¬ 
ed  in  2003,  according  to  Tracy 
Lefteroff,  global  managing  part¬ 
ner,  Venture  Capital  &  Private 
Equity  Practice  at  Pricewater- 
houseCoopers.  Funding  for  2004s 
first  three  quarters  comes  in  at 
about  $7.4  billion. 

VoIP  service 
provider  Vonage 
stole  the  spotlight 
during  the  third 
quarter  with  a  $105 
million  deal  (see 
graphic). The  com¬ 
pany,  which  sells 
VoIP  services  to  residential  and 
small-business  customers  in 
about  125  markets  in  the  U.S.and 
abroad,  plans  to  use  these  funds 
to  expand  its  service  area,  com¬ 
pany  officials  say. 

“That’s  a  pretty  hot  little  area,” 
Lefteroff  says  of  the  VoIP  mar¬ 
ket.  It’s  also  a  capital-intensive 
one,  he  adds,  which  might 
explain  why  Vonage’s  third- 
quarter  deal  was  more  than 
three  times  the  size  of  the  next- 
largest  deal. 

As  in  the  past,  software  invest¬ 
ments  dominated  the  third  quar¬ 
ter,  with  160  deals  totaling  $942 
million.  Of  those  investments 


about  20  went  to  security  com¬ 
panies,  such  as  patch-manage¬ 
ment  vendor  PatchLink,  which 
received  $30  million. 

“Security  is  clearly  over- 
funded  as  a  sector,”  says 
Asheem  Chandna,  a  venture 
partner  with  Greylock  Partners. 
“Having  said  that,  when  you 
talk  to  customers  one  gets  the 
strong  sense  that  the  [security 
threat]  is  only  getting  worse  . . . 
that  means  there  are  opportu¬ 
nities  for  new  companies.” 

Following  software  was  the 
semiconductor  sector,  which 
attracted  $331  million  in  invest¬ 
ments  during  the  third  quarter. 
Money  flowed  into  companies 
such  as  imaging  processor 
maker  Silicon  Optix  with  a  $40 
million  investment  and  Ember, 
which  makes  wireless  chips 
and  received  $25  million. 

Companies  in  the  network 
and  related  equipment  market 
saw  $314  million  in  third-quar¬ 
ter  investments,  including  opti¬ 
cal  gear  maker  Infinera  with  a 
$35  million  investment. 

Beyond  Vonage’s  hefty  deal, 
investors  only  dabbled  in 
Internet  communications  com¬ 
panies,  putting  $217  million 
into  this  sector.  PolyServe, 
which  makes  system  software 


MoneyTree 


Venture  gained 

These  companies  attracted  the  largest  investments  in 
the  IT  industry  during  the  third  quarter: 


Company 

Deal  value 

Product/service 

Investors 

Vonage 

Holdings 

$105 

million 

Residential  and 

small-business 

VoIP  services 

New  Enterprise 
Associates,  3i, 
Meritech  Capital 
Partners 

Silicon 

Optix 

$40  million 

Imaging 

processors 

Apax  Partners, 

Polaris  Venture 
Partners,  InterWest 
Partners,  others 

Infinera 

$35  million 

Carrier-grade 

optical 

equipment 

Kleiner  Perkins 
Caufield  &  Byers, 
Benchmark  Capital, 
Mobius  Venture 
Capital,  others 

PatchLink 

$30  million 

Patch  manage¬ 
ment  software 
and  services 

Bay  Partners,  BA 
Venture  Partners, 
Government  of 
Singapore  Investment 

SOURCE:  MONEYTREE  SURVEY  BY  PRICEWATERHOUSECOOPERS,  THOMSON  VENTURE  ECONOMICS  AND 
THE  NATIONAL  VENTURE  CAPITAL  ASSOCIATION 


for  Internet  data  centers,  saw  a  For  more  results,  go  online  to 
$20  million  investment,  as  did  www.nwfusion.com,  DocFinder: 
Wayport,  a  wireless  ISP  4562.  ■ 


AirDefense  counterattacks  WLAN  threats 


■  BY  JOHN  COX 

AirDefense  this  week  is  set  to 
release  the  latest  version  of  its 
wireless  LAN  protection  soft¬ 
ware,  with  features  that  will  let 
users  mount  counterattacks 
against  threats  to  wireless  clients 
and  networks. 

The  changes  in  AirDefense 
Enterprise  6.0  focus  on  letting 
users  block  or  disconnect  WLAN 
threats,  such  as  wireless  intru¬ 
sions,  rogue  access  points  and 
denial-of-service  attacks.  The 
product  consists  of  radio  sensors 
to  monitor  WLAN  transmissions, 
and  server  software  to  track, 
record  and  counter  an  array  of 
threats. 

The  changes  reflect  similar 
moves  by  other  WLAN  security 
vendors,  among  them  Wibhu 
Technologies  and  Highwall 
Technologies,  to  expand  WLAN 
security  features.  Intrusion  pre¬ 
vention,  which  blocks  attacks  or 
prevents  accidental  associations 


with  unauthorized  access  points, 
is  one  key  area  of  this  expansion. 

This  increased  scope  of  the 
AirDefense  software  is  important 
to  Lehman  Bros.,  a  New  York  bro¬ 
kerage  and  investment  banker. 
The  company  has  only  a  small 
Cisco  WLAN,  but  it  uses  Air¬ 
Defense  to  monitor  WLAN  activity 
Version  6.0  lets  network  managers 
immediately  and  remotely  dis¬ 
able  a  rogue  device  with  a  single 
keystroke,  says  Frederick 
Nwokobia,  senior  engineer  with 
Lehman’s  IT  group. 

AirDefense  6.0  includes  an  op¬ 
tional  agent,  dubbed  AirDefense 
Personal,  that  runs  on  a  Windows 
laptop  PC,  and  watches  for  about 
50  problematic  activities.  One 
example  is  connecting  to  what 
appears  to  be  a  public  WLAN  but 
actually  is  a  username/password 
trap  using  Airsnarf.  When  the 
agent  detects  a  problem,  it  can 
shut  off  the  client’s  WLAN  adapter 
card,  for  example.  It  then  sends  a 
report  to  the  AirDefense  server. 


Protecting  WLANs 

AirDefense  evolves  into 

WLAN  intrusion  protec¬ 
tion  in  Version  6.0,  adding: 

•  Software  agent,  to  protect 
WLAN  clients  from  viruses, 
other  threats. 

•  Threat  index,  to  ID  a  rogue 
device  as  a  low  to  high  risk. 

•  More  than  100  new  traffic 
patterns  to  detect  specific 
attacks  or  suspicious 
actions. 

•  Automatic  counterattacks, 
such  as  disconnecting 
clients  from  rogue  access 
points  or  blocking  a  denial- 
of-service  attempt. 

Such  automated  responses  are 
a  key  part  of  Version  6.0, 
although  users  can  opt  to  manu¬ 
ally  trigger  these  actions  from  a 
central  console. 


These  automatic  responses  are 
married  with  a  new  feature  called 
the  rogue  threat  index.  This  is  a 
display  that  detects  a  rogue  wire¬ 
less  device  and  assigns  it  a  low  to 
high  level  of  risk.“It’s  one  thing  for 
an  [intrusion-detection  system] 
to  say  ‘here’s  a  rogue,”’  Nwokobia 
says.  “But  [AirDefense  6.0]  now 
says,  ‘here’s  a  rogue  that’s  con¬ 
nected  to  your  network.’” 

The  AirDefense  release  in¬ 
cludes  more  than  100  new 
threat-detection  patterns,  a  total 
of  200,  for  which  the  software 
continuously  monitors.  Another 
change  is  that  AirDefense  can 
pull  user  and  device  configura¬ 
tion  data  from  Lightweight  Dir¬ 
ectory  Access  Protocol  directo¬ 
ries  without  having  to  re-enter  all 
this  data  manually. 

Version  6.0  of  AirDefense  is 
scheduled  to  ship  next  month. 
Pricing  is  unchanged,  starting  at 
about  $7,000  for  four  sensors  and 
the  server  software. 

AirDefense  is  not  the  only  ven¬ 


dor  embracing  WLAN  intrusion 
prevention. 

Start-up  Wibhu  is  set  to  unveil  at 
the  end  of  this  month  a  product 
broadly  similar  to  the  AirDefense 
6.0.  It  includes  sensors  to  pick  up 
and  monitor  radio  signals,  and 
software  to  locate  the  signals, 
identify  an  array  of  threats,  and, 
most  importantly  take  automatic 
action  against  them. 

The  company  says  it  has  devel¬ 
oped  algorithms  that  can  accu¬ 
rately  detect  and  identify  threats, 
and  pinpoint  their  location,  with  a 
high  degree  of  accuracy  eliminat¬ 
ing  the  numerous  false  alarms 
that  plague  many  intrusion-detec¬ 
tion  tools. 

Highwall  is  planning  a  new 
release  this  month  of  its  Highwall 
Enterprise  WLAN  monitoring  soft¬ 
ware.  The  new  version  will 
include  changes  to  let  network 
administrators  enforce  wireless 
security  policies  automatically  on 
a  WLAN  that  now  can  span  sev¬ 
eral  locations.  ■ 
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Liberated 


DB2  DOESN’T  LOCK  YOU  IN. 

DB2  is  middleware,  but  it  is 
anything  but  middle-of-the-road. 

In  fact,  DB2  is  part  of  an  innovative 
family  of  information  management 
products  that  can  integrate  and 
actually  add  insight  to  your  data. 
That’s  big. 

DB2  is  also  the  leading  database 
built  on  and  optimized  for 
Linux:  UNIX®  and  Windowsf  built 
to  take  full  advantage  of  your 
existing  heterogeneous  and  open 
environments,  and  built  to  enable 
true  grid  computing. 


Plus,  there’s  no  constricting  contract. 

DB2  is  also  middleware  with  an  eye  on 
your  resources.  Ail  of  them.  An  ITG 
study  showed  overall  costs  for  Oracle 
Database  are  up  to  four  times  higher 
than  DB21,  A  Solitaire  study  found  that, 
on  average,  Oracle  Database  required 
25%  more  time  to  manage  than  DB2! 
And  the  Transaction  Processing 
Performance  Council  showed  DB2  as 
the  overall  price/performance  leader  for 
TPC-C  on  Linux,  UNIX  and  Windows. 
Ahead  of  both  Oracle  Database  and 
Microsoff  SQL  Server? 


Then  there’s  this;  Oracle  will  drop  the 
current  level  of  support  for  Oracle 
Database  8i  at  the  end  of  2004.  Meaning 
limited  support,  higher  cost  or  a 
complete  migration  to  current  versions. 
Fortunately,  IBM  offers  ongoing,  around- 
the-clock  service  and  support  for  DB2. 

Why  not  move  up  to  middleware  that 
makes  sense?  Through  the  end  of  the 
year,  you  can  get  IBM  DB2  Universal 
Database  by  taking  advantage  of 
our  extremely  compelling  trade-up 
promotion.  Visit  ibm.com/db2/swap 
today  to  find  out  if  you  qualify. 


DEMAND  BUSINESS 
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09/30/04,  Windows:  DB2  UDB  v8.1: 1.68  US$/tpmC,  18,318  tpmC,  available  04/14/04,  vs  Microsoft  SQL  Server  2000: 1.85  US$/tpmC,  22,052  tpmC,  available  02/18/04,  vs  Oracle  lOg  :4.98  US$/tpmC,  291,413  tpmC,  available  10/25/04.  TPC 
Benchmark,  TPC-C  and  tpmC  are  trademarks  of  the  Transaction  Processing  Performance  Council.  For  further  TPC-related  information,  please  visit  www.tpc.org 
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A  CLOSER  LOOK: 

Service-oriented  architecture 

Second  of  two  parts 


Early  adopters: 


SOA  worth  the  effort 


SOA  advice 


Early  adopters  share  their  tips  for  getting  the  most  from  an  SOA. 


Don’t  get  fooled 
by  the  simplicity 
of  the  SOA 
concept. 


Evaluate  your 
integration 
requirements 
upfront. 


For  example,  the  industry  touts  Web  services  for  its  language  independence. 
"Technically,  I  should  be  able  to  go  from  Java  to  .Net,  and  from  .Net  to  Java, 
via  SOAP.  It  should  work,  right?"  says  Peter  Underwood,  vice  president  and 
director  of  software  development  at  Wall  Street  Access.  “But  there  are 
gotchas.  Web  services  don't  give  you  immediate  interoperability."  For 
example,  a  Java  collection  —  which  is  a  grouping  of  Java  objects  —  has  to 
be  wrapped  for  .Net  to  understand  it,  he  says. 

It's  important  to  get  the  right  brokering  routine  for  your  company's  needs, 
says  Cmdr.  Scott  Smith,  assistant  CIO  of  the  N  AVFAC.  NAVFAC  uses  the 
message-brokering  tools  embedded  in  Oracle's  application  platform. 
Companies  that  have  complex  data  transactions  and  require  a  lot  of  many- 
to-many  asynchronous  interfaces  might  require  more  specialized  capabilities 
in  a  pure  play  integration  suite,  he  says.  “Brokering  Web  services  is  kind 
of  easy,  but  brokering  data  transaction  gets  harder,”  he  says 


Plan  to  service- 
enable  existing 
applications. 


Existing  applications  will  require  retooling  to  run  off  the  SOA,  Underwood 
adds.  "You  really  have  to  convert  any  legacy  applications  onto  the  SOA 
framework  to  get  the  benefit  of  it.That  should  be  part  of  your  plan  to  begin 
with,”  he  says. 


Balance 

performance 

requirements. 


Wall  Street  Access  uses  Web  services  whenever  it  makes  sense,  but 
sometimes  falls  back  on  the  Java-based  remote  method  invocation  (RMI) 
technology  to  enable  remote  communication  between  Java  programs.  “For 
very  performance-sensitive  transactions  we  will  do  RMI,"  Underwood  says. 


■  BY  ANN  BEDNARZ  AND 
JOHN  FONTANA 

The  concept  of  a  service- 
oriented  architecture  has  gained 
momentum  as  an  alternative  to 
traditional  enterprise  application 
integration,  and  early  adopters  are 
drawn  to  it  for  all  the  things  old- 
school  EAI  didn’t  deliver:  flexibil¬ 
ity  standard  messaging  formats, 
greater  asset  reuse  potential  and 
reduced  integration  expenses. 

Instead  of  an  architecture  of  in¬ 
dependent  applications  woven 
together  by  proprietary  message 
brokers,  an  SOA  is  built  from  soft¬ 
ware  components  wrapped  with 
interfaces  that  use  standards  such 
as  Simple  Object  Access  Protocol 
(SOAP)  to  invoke  them. 

The  theory  behind  an  SOA  is 
that  users  can  take  new  and  exist¬ 
ing  components  —  such  as  a 
credit  authorization  check  —  and 
expose  them  as  services  without 
being  tied  to  any  specific  user  in¬ 
terface.  These  components  then 
can  be  shared,  reused  and  linked 
to  create  composite  applications 
across  a  network. 

However,  the  simplicity  of  the 
concept  belies  the  effort  required 
to  make  old  systems  fit  into  the 
new  architecture.  In  Part  1  of  our 
series  on  SOAs  (see  www.nwfu- 
sion.com,  DocFinder:  4561),  ex¬ 
perts  pointed  out  all  the  work  that 
needs  to  be  done  to  service- 
enable  applications  and  net¬ 
works.  Companies  have  to  retrofit 
existing  applications,  build  new 
layers  of  middleware,  and  devise 
new  management  practices  and 
security  defenses,  for  example. 

Among  the  early  adopter  sect, 
companies  have  decided  it’s 
worth  the  effort  it  takes  to  migrate 
to  an  SOA-based  infrastructure, 
one  project  at  a  time.  Along  the 
way,  some  have  found  SOA  pay¬ 
backs  with  reusable  services  to 
accelerate  and  lower  the  cost  of 
development  processes. 

The  Hartford  Financial  Services 
Group,  for  example,  no  longer 
thinks  about  overhauling  mono¬ 
lithic  application  code,  such  as  a 
relic  from  1997,  its  Single  Entry 
Multiple  Carrier  Interface  (SEMCI) 
application.  SEMCI  lets  agents 
enter  data  once  and  broadcast  it 
to  multiple  earners  searching  for  a 
quote. 

“If  we  wanted  to  make  improve¬ 


ments  we  had  to  consider 
changes  to  the  entire  applica¬ 
tion, "says  Ben  Moreland, manager 
of  application  infrastructure 
delivery  for  the  Connecticut 
insurance  and  financial  services 
provider.That  left  the  SEMCI  appli¬ 
cation  near  its  breaking  point. 

To  preserve  the  SEMCI  applica¬ 
tion,  a  team  of  nearly  three  dozen 
architects  rebuilt  it  by  creating  a 
series  of  Web  services  that  tap 
into  back-end  legacy  systems.  As 
part  of  the  work,  the  group  also 
created  a  reference  architecture 
that  would  become  a  foundation 
for  the  company’s  entire  Property 
and  Casualty  business. 

“We  put  in  the  [SEMCI]  budget 
a  management  platform  that 
could  be  used  across  the  enter¬ 
prise,”  Moreland  says.  On  its  heels 
followed  a  Universal  Description, 
Discovery  and  Integration 
(UDDI)  registry  and  systems  for 
orchestration,  and  publish  and 
subscribe. 

Those  pieces  set  the  SOA  foun¬ 
dation,  which  The  Hartford  con¬ 
tinues  to  develop. 

Modernization 

Another  reason  users  might 
look  at  SOAs  is  the  opportunity  to 
modernize  business  processes. 
Freeing  staffers  from  repetitive 
data  entry  led  the  Naval  Facilities 
Engineering  Command  (NAV¬ 
FAC)  to  consider  SOA. 

NAVFAC  designs  and  constructs 
Navy  properties  around  the 
world,  handling  about  $8.5  billion 
in  facility  services  annually  But  it’s 
no  monopoly:  Navy  building  own¬ 
ers  can  choose  NAVFAC  competi¬ 
tors  such  as  the  General  Service 
Administration  (GSA)  to  manage 
their  facilities.  The  GSA  also  isn’t 
bogged  down  with  the  legacy 
baggage  NAVFAC  is,  says  Cmdr. 
Scott  Smith,  assistant  CIO  of  the 
Washington,  D.C.,  unit. 

In  the  past  there’s  been  a  lot  of 
manual  data  entry  required  to 
share  information  among  con¬ 
tract-management  applications 
running  on  disparate  platforms, 
he  says. To  even  the  playing  field, 
NAVFAC  looked  to  streamline  its 
contracts  administration  pro¬ 
cesses  by  automating  the  inter¬ 
face  between  two  key  systems:  the 
Department  of  Defense’s  Stan¬ 
dard  Procurement  System,  a 
Windows-based  procurement  sys¬ 


tem  NAVFAC  is  required  to  use; 
and  NAVFAC’s  custom,  main¬ 
frame-based  Facility  Information 
System,  which  handles  tasks  such 
as  funds  management  and  pro¬ 
ject  accounting. 

NAVFAC  wants  to  tie  those  sys¬ 
tems  to  its  new  composite  appli¬ 
cations,  including  eProjects  and 
eContracts,  which  automate 
project  and  contract  manage¬ 
ment  processes. 

With  conventional  EAI,  NAVFAC 
would  have  had  to  rely  on  mes¬ 
sage  brokers,  application  adapters 
and  translators  to  enable  data 
sharing  among  the  applications.  It 
would  have  taken  too  long  and 
cost  too  much  money  Smith  says. 

Instead  NAVFAC  wrapped  the 
current  systems  with  Web  services 
that  draw  out  necessary  contract 
information  without  requiring 
any  changes  to  the  applications 
source  code.  Jacada’s  Fusion  soft¬ 
ware  mediates  between  NAVFAC’s 
legacy  systems,  Windows-based 
applications  and  the  new  com¬ 
posite  applications,  Smith  says. 

Having  service-enabled  these 
core  business  applications,  NAV¬ 
FAC  hopes  to  find  opportunities 
to  reuse  the  components  down 
the  line,  Smith  says.  “We’re  not  at 


100%  reuse,  but  the  tools  are 
improving,”  Smith  says. 

Delivery  date 

For  Wall  Street  Access,  it  was  the 
desire  to  improve  information 
delivery  to  customers,  partners 
and  suppliers  that  led  to  its  SOA. 

The  New  York  brokerage  firm 
integrates  and  aggregates  stock 
market  information  from  about  20 
market  data  providers  —  includ¬ 
ing  BusinessWire,  CBS  Market- 
Watch,  Edgar  Online,  Pinnacore 
and  the  New  York  Stock  Exchange 

—  to  populate  its  AccessPoint 
trading  application. 

The  scenario  was  a  natural  fit  for 
an  SOA,  but  the  firm  arrived  at  that 
conclusion  almost  by  default, says 
Peter  Underwood,  vice  president 
and  director  of  software  develop¬ 
ment  at  Wall  Street  Access.  The 
firm  started  with  plans  for  a  core 
set  of  interfaces  to  be  exposed  to 
different  applications,  then  chose 
a  development  language  —  Java 

—  and  decided  on  IBM’s 
WebSphere  family  for  its  platform. 

The  result  is  a  disparate  set  of 
services  brought  together  in  a 
common  framework.  For  exam¬ 
ple,  one  service  automates  the 
data  exchanges  between  Wall 


Street  Access  and  its  external 
quote  providers.  Another  service 
handles  order  management  for  a 
series  of  applications,  he  says. 

“What  we’ve  wound  up  doing  is 
programming  things  once  on  the 
service  layer,  coming  up  with  one 
interface,  then  letting  ail  the  other 
applications  utilize  that.  It’s  a  true 
write  once,  use  multiple  times,”  he 
says. 

Despite  the  simplicity  of  the 
concept,  building  an  enterprise 
SOA  raises  technical  and  business 
challenges,  Underwood  says.  For 
one,  maintaining  an  SOA  requires 
development  discipline. 

“One  of  the  drawbacks  is  that 
when  1  make  a  change  to  one 
interface,  the  change  affects  every 
single  application  that  uses  the 
service,”  Underwood  says.  “When 
we  started  off,  we  thought  we 
were  fairly  disciplined,  but  we 
found  out  we  weren’t.”  Where  a 
lack  of  discipline  hurts  is  when 
changes  to  an  interface  that’s  in 
production  are  required. 

There  also  are  performance 
issues  to  be  aware  of,  Underwood 
says.  XML  is  a  verbose  language, 
and  Web  services  communica¬ 
tions  require  serializing  and  de- 
See  SOA  page  65 


TEST  #369 


Highest  capacity 


In  blind  taste  tests  between  the  SDLT  600  and  LTO-2,  neither  tape  was  ever  able  to  gain  a 
statistical  advantage.  Test  subjects'  comments  ranged  from,  "both  tapes  equally  offensive  to  the 
gastrointestinal  system,"  to  "if  there  is  a  hell,  this  is  the  food."  Scientists  have  agreed  to  conduct 
the  next  round  with  condiments.  As  for  data  backup  abilities,  however,  it  was  no  contest. 

The  SDLT  600  has  50%  more  capacity  than  LTO-2,  not  to  mention  20%  more  speed. 

How  do  we  know?  It's  been  tested.  For  more  info  and  to  see  the  whitepaper,  visit  DLTtape.com. 
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I  spy 


Here  are  some  definitions  to  common  spyware  types. 

Adware  Covertly  installed  on  desktops  to  generate  a  stream 
of  unsolicited  advertisements.  Can  affect  system 
performance. 

Browser  Change  a  browser  setting,  usually  altering  default 
hijacker  start  and  search  pages.  Can  modify  nearly  every 
aspect  of  a  browser  including  adding/editing 
bookmarks. 

Browser  Installed  as  a  toolbar  or  search  and  navigation 
ptug-in  feature;  plug-ins  provide  complete  access  to  the 
browser  and  can  modify,  spy  on  and  redirect  tasks. 


Spyware  Collects  demographic  and  usage  information,  usually 
for  advertising  purposes.  Modules  are  almost  always 
installed  and  run  secretively. 

Trojan  Any  software  that  a  user  is  not  aware  of  or  did  not 
intentionally  install;  generally  used  to  compromise 
security  or  privacy. 

Key  logger  Runs  in  background  and  logs  keystrokes.That 

information  is  hidden  in  the  machine  for  later  retrieval 
or  sent  to  the  attacker. 


Spyware 

continued  from  page  1 

freeware.  But  consumer-oriented 
anti-spyware  products  from 
Computer  Associates  (which 
recently  acquired  anti-spyware 
maker  PestPatrol),  Tenebril  and 
Webroot  are  getting  beefed  up  for 
enterprise  networks. 

CA  this  week  plans  to  unveil 
eTrust  PestPatrol  5.0  in  packages 
designed  for  consumers  and  for 
small  and  large  businesses.  The 
corporate  edition  initially  will  fea¬ 
ture  a  central  console.  Later,  CA 
plans  to  integrate  the  anti-spy- 
ware  program  with  its  anti-virus 
software  management  controls. 

Aluria,  Giant  Software,  McAfee 
and  Sunbelt  Software  say  they 
intend  to  announce  anti-spyware 
software  for  enterprise  networks, 
too. 

While  IT  managers  are  certain 
to  welcome  the  growing  number 
of  choices,  one  issue  that  buyers 
face  is  that  each  software  vendor 
defines  spyware  a  little  differently 
and  tout  wide-ranging  numbers 
of  signatures  —  anywhere 
between  20,000  to  200,000  —  to 
target  spyware  files  that  end  up 
on  computers.That  means  there’s 
no  easy  way  to  compare  these 
products. 

“There  are  no  common  defini¬ 
tions  for  the  industry  says  Josh 
Blanchfield,CEO  of  Tenebril. 

However,  most  vendors  seem  to 


agree  that  spyware  includes  ad¬ 
ware  used  for  marketing  pur¬ 
poses  in  addition  to  malicious 
Trojans  and  key-loggers. 

McAfee  prefers  to  not  even  use 
the  word  spyware  because  some 
online  marketing  firms,  including 
Claria,  which  makes  the  Gator 
e Wallet  and  other  software  for  tar¬ 
geted  ad  presentation,  bristle  at 
the  term.  McAfee  uses  the  term 
“potentially  unwanted  programs” 
instead. 

The  anti-spyware  industry  oper¬ 
ates  with  each  vendor  deciding 
which  adware  or  Trojan  that  ends 
up  on  a  computer  should  be 
wiped  out  based  on  an  assess¬ 
ment  of  what’s  good  and  bad. 

Sometimes  the  definition  of 
what’s  good  or  bad  changes  over¬ 
night.  Aluria,  which  plans  to  ex¬ 
pand  beyond  consumer  anti-spy- 
ware  into  the  corporate  market 
by  February  last  week  generated 
criticism  by  saying  it  would  no 
longer  detect  and  eradicate  ad¬ 
ware  from  WhenU.com,  which  is 
arjM^re  company  whose  soft¬ 
ware*1 provides  customers  with 
information  on  bargains  and 
online  savings  by  examining  key¬ 
words,  URLs  and  search  terms 
favored  by  the  user.. 

“They  stopped  their  ActiveX 
and  drive-by  downloads,”  ex¬ 
plains  Rick  Carlson,  Aluria’s  presi¬ 
dent.  Aluria’s  approach  is  to  eval¬ 
uate  spyware  according  to  its 
own  standards  for  consumer  pro¬ 


tection,  he  says. 

If  an  adware  firm  changes  its 
practices,  it  can  be  considered 
legitimate  and  not  subject  to 
detection  and  eradication. 
Aluria  now  feels  so  comfortable 
with  what  WhenU  is  doing  that 
the  two  have  signed  a  joint  mar¬ 
keting  deal. 

One  vendor  getting  into  the 


anti-spyware  market  intends  to 
leave  it  up  to  system  administra¬ 
tors  or  end  users  to  decide  what 
to  eradicate,  keep  or  quarantine. 
Sunbelt,  which  makes  a  range  of 
management  and  utility  prod¬ 
ucts,  including  LanHound  and 
iHateSpam  for  Exchange,  this 
week  is  expected  to  introduce  its 
CounterSpy  line  of  anti-spyware 
products  for  corporate  and  con¬ 
sumer  customers. 

While  it’s  unclear  which 
method  will  catch  on,  demand 
for  corporate  anti-spyware  offer¬ 
ings  is  clearly  on  the  rise. 

Jared  Winter,  the  PC  and  LAN 
supervisor  at  Western  United 
Insurance  in  Irvine,  Calif.,  says  he 
had  to  find  a  tool  after  spyware 
brought  his  company’s  imaging 
system  to  its  knees.  He  uses  CAs 
PestPatrol. 

“Some  of  the  spyware  was 
downloading  viruses,”  he  says.“So 
I’ve  found  using  anti-spyware  is 
some  help  against  viruses,  too.”  ■ 


More  online! 


Attend  Network  Security:  Structuring  an 
Aggressive  Defense.  A  top-to-bottom, 
security  event  focused  on  every  element 
needed  for  total  enterprisewide  protection. 

DocFinder:  4046 


Debating  what  is  spyware 


V 


Vendors  and  other  observers  say  sorting 
out  spyware  from  harmless  programs  will 
remain  challenging,  even  with  the  use  of 
H|  anti-spyware  software. 

They  suggest  that  users  closely  monitor  use 
|  of  peer-to-peer  programs  such  as  Grokster  as 
potential  sources.  An  underground  spyware 
maker  dubbed  CoolWebSearch  also  is  notori¬ 
ous  for  sneaking  its  software  into  computers 
;  via  security  holes,  says  Ben  Edelman,  a  Har- 
I  vard  Law  School  student  and  Ph.D.  candidate 
I  in  economics,  who  has  applied  his  analytical 
skills  to  understanding  spyware. 

Meanwhile,  many  ad-marketing  companies, 
including  Claria,  are  striving  to  dispel  any 
qualms  about  their  activities. 

Claria  makes  the  Gator  eWallet,  software  for 
holding  passwords  that's  offered  to  users  for 
free  in  return  for  accepting  advertising  based 
on  where  the  user  goes  on  the  Web.  Reed 
Freeman,  chief  privacy  officer  at  Claria,  says 
this  behavior- based  marketing  is  done  by  keep¬ 
ing  the  user's  identity  anonymous,  though  the 
user's  Web  history  is  stored  in  a  database. 

Freeman  says  Claria  lobbies  anti-spyware 
:  vendors  to  convince  them  that  it  has  legitimate 


practices.  However,  note  most  anti-spyware 
software  still  offers  the  option  to  nix  Gator, 
What  miffs  Freeman  is  that  when  some  of 
these  tools  attempt  to  delete  Claria's  software 
they  don’t  do  a  very  good  job.  “In  some  cases 
tools  will  remove  the  free  software  but  not  the 
ad  surfer,  so  consumers  think  they’ve  unin¬ 
stalled  it  but  they  haven’t  and  they  still  get 
ads,"  Freeman  says. 

Freeman  says  Claria  supports  the  develop¬ 
ment  of  laws  and  technical  standards  related 
to  adware. 

Yet,  the  company's  methods  continue  to 
come  under  fire. 

Edelman  says  Claria's  licensing  agreement, 
which  is  about  6,000  words,  contains  a  number 
of  objectionable  statements  that  users  might 
not  fully  understand.  One  is  that  users  agree 
not  to  use  a  “packet  sniffer  or  other  device"  to 
intercept  data  between  their  desktops  and 
Claria.  Edelman  says  this  would  appear  to  pro¬ 
hibit  research  he's  been  doing  to  see  what 
Claria  software  transmits. 

Claria  notes  that  this  clause  has  never  been 
enforced  in  his  case. 

—  Ellen  Messmer 
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Expanding  the  10G  menu 

Several  vendors  are  launching  10G  Ethernet  gear  this  week: 


Company 

Product 

Details 

Application 

Price/availability 

Enterasys 

X-Series  X-16  switch 

16-slot  switch,  supports  768  1G  or  64 
10G  ports. 

Large  campus  backbone  or  data  center 
core  switch. 

Starts  at  $80,000/ 

01  2005 

X-Series  X-8  switch 

Eight-slot  switch  supports  384  1G  or 

32  10G  ports. 

Large  or  midsize  backbone/data  center 
switch. 

Starts  at  $58,000/ 

01  2005 

Foundry 

Eight-port  10G  blades 
(for  the  MG8  switch) 

Eight-port  optical  10G  ports  (partially 
blocking). 

Server  connectivity  or  edge  switch 
aggregation. 

$50,000/0  1  2005 

10GBase-CX4  module 

Copper-based  10G  module  for  MG8 
line  cards. 

Server  connectivity  or  short  (50-foot) 
switch-to-switch  links. 

$1, 000/available  now 

EIF8X10G  switch 

Eight-port  fiber  10G  Ethernet  switch. 

Server  connectivity,  switch  aggregation. 

$20,000/01  2005 

Fujitsu 

XG600-CX4 

12-port,  copper  10G  (lOGBase-CX- 
4)  switch. 

Data  center  server  connectivity. 

Not  available/ 
January  2005 

Chelsio 

T110-CX4 

Copper-based  10GBase-CX4  server 
adapter. 

Ethernet  LAN  connectivity  for  larger 
server/NAS  devices. 

$2, 500/available  now 
only  to  OEMs 

10G 

continued  from  page  1 

Nuclear  Research,  where  Enter- 
asys’  latest  X-Series  box  will  be 
installed. The  16-slot  switch,  with 
2.56T  bit/sec  of  total  switch 
capacity,  can  hold  up  to  64  10G 
or  768  Gigabit  Ethernet  ports  in 
a  chassis. 

CERN  now  uses  10G  switches 
from  Foundry,  Cisco  and  Entera- 
sys.  It  plans  to  put  in  an 
Enterasys  X-Series  box  outfitted 
entirely  with  10G  Ethernet  ports 
as  an  aggregation  switch.  The 
box  will  move  data  collected 
from  supercomputing  clusters  to 
storage  systems,  according  to 
Wolfgang  von  Riiden,  head  of  IT 
at  CERN. 

“Our  bandwidth  needs  right 
now  are  enormous  and  always 
growing,”  von  Riiden  says.  Many 
of  the  hundreds  of  experiments 
at  CERN  are  capable  of  produc¬ 
ing  consistent  datastreams  at  6G 
to  7G  bit/sec  over  days  or  weeks, 
he  says. 

Another  organization  getting 
its  feet  wet  with  10G  is  Florida 
A&M  University  in  Tallahassee, 
which  plans  to  install  Foundry 
MG8  switches  with  10G  Ethernet 
uplinks.  These  boxes  will  con¬ 
nect  to  a  regional  fiber  loop 
around  the  city  The  effort  will 
upgrade  the  school’s  campus 
ring  bandwidth  from  155M 
bit/sec  OC-3  SONET. 

“We’re  going  to  put  these 
switches  in  and  see  what  all  the 
hype  is  about”  with  10G 
Ethernet,  says  Wayne  Dunwoody 
director  of  network  technology 
at  Florida  A&M.  He  says  he 
hopes  the  10G  Ethernet  loop 
will  provide  a  backbone  that  is 
faster  and  as  reliable  as  the  cur¬ 
rent  OC-3  ring.  If  it  works  out, 
Dunwoody  says,  the  school 
plans  to  boost  its  multimedia 
applications,  such  as  IP  video 
broadcasts,  while  increasing  its 
distance-learning  offerings, 
which  integrate  video,  docu¬ 
ment  sharing  and  other  collabo¬ 
ration  applications  for  students 
taking  courses  from  satellite 
schools  in  Tallahassee. 

With  its  X-Series,  Enterasys  is 


Correction 


SB  In  the  story  "Opnet's  IT  Guru 
is  tops  in  modeling  an  enterprise 
network"  (Oct.  18,  page  46), 
under  the  category  of  Modeling 
\  Accuracy,  Shunra/Storm  should 
jj  have  received  a  grade  of  4.  This 
T  still  makes  the  final  score  of  4.0 
m  correct. 


bringing  carrier  technology 
into  its  enterprise  product  line. 
The  box  was  built  primarily  by 
engineers  formerly  with  Tenor,  a 
multi-service  carrier  switch 
start-up  that  went  bankrupt  last 
year.  Enterasys  bought  Tenor’s 
technology  and  hired  its  core 
engineers  shortly  after  the  firm’s 
closing.  The  X-Series  is  the  first 
product  to  result  from  the  Tenor 
purchase. 

Enterasys  CTO  John  Roese 
says  the  new  box  is  more  than  a 
Tenor  switch  wearing  an  En¬ 
terasys  sticker.  The  switch  was 
also  fitted  with  technology  — 
ASICs  and  software  —  that  lets  it 
work  with  Enterasys’  LAN  switch 
security  strategy,  Secure  Net¬ 
works.  This  strategy  lets  switches 
identify  network  attacks  and 
shut  down  connections,  or  iso¬ 
late  traffic  onto  secure  virtual 
LANs.  The  X-Series  surpasses 
Enterasys’  previous  high-capac¬ 
ity  backbone  N  series  switches 
introduced  last  year. 

Roese  says  carrier-class  attrib¬ 
utes  of  the  X-Series  include  sep¬ 
aration  of  areas  called  the  con¬ 
trol  plane  and  the  data  plane. 
The  control  plane  handles 
switch  management  and  config¬ 
urations,  while  the  data  plane 
concerns  a  switch’s  packet-mov¬ 
ing  and  routing  processes. 

Some  competitive  products, 
such  as  those  from  Cisco  and 
Foundry,  operate  control  plane 
and  data  plane  functions  in  the 
same  software  and  hardware.  In 
the  X-Series,  they  are  kept  sepa¬ 
rate  in  the  circuitry  to  allow  the 
switch  to  continue  operating  if 
certain  hardware  within  the  de¬ 
vice  fails.  This  separation  also 
makes  it  harder  for  a  network 
attacker  to  bring  down  an  X- 
Series  switch  by  accessing  the 
device’s  configuration  console 


through  such  insecure  telnet 
links  or  glitches  in  other  man¬ 
agement  interfaces.  Force  10  Net¬ 
works’  E  series  and  Juniper’s 
routers  also  use  this  approach. 

Increased  density 

Foundry  also  is  pushing  higher 
10G  port  density  with  its  eight- 
port  10G  module  for  the  MG8 
backbone  switch.  The  new 
blades  allow  the  switch  chassis 
to  hold  up  to  64  10G  ports. 
However,  the  blades  are  limited 
to  50G  bit/sec  backplane  con¬ 
nections,  which  prevents  all 
eight  ports  from  running  at  100% 
capacity  all  at  once. 

Another  Foundry  10G  Ethernet 
offering  also  might  help  contin¬ 
ue  the  recent  price  push-down 
by  switch  vendors,  says  Max 
Flisi,  an  analyst  with  IDG. 
Foundry  is  introducing  a  fixed- 
configuration  switch  with  eight 
10G  ports  priced  at  about  $4,500 
per  port  with  optics. 

Costs  for  10G  gear  have  come 
down  over  the  past  year,  with  the 
average  per-port  price  dropping 
from  $26,000  to  about  $9,000  per 
port  between  June  2003  and 
2004,  IDC  says.  More  recently  10G 
products  from  Foundry,  Extreme 
and  HP  cost  about  $4,000  to 
$7,000  per  port. 

10G  “is  a  small  market,  but  it’s 
going  somewhere,”  Flisi  says. 
“With  the  history  of  Ethernet,  it’s 
always  been  a  matter  of  when 
you  reach  that  price  point  that’s 
compelling  enough  to  get  every¬ 
one  to  widely  embrace  the  tech¬ 
nology  We’re  getting  there  with 
[Gigabit  Ethernet] ,  but  we’re  not 
quite  there  yet  with”  10G. 

Research  by  Dell’Oro  Group 
estimates  that  the  average 
Gigabit  Ethernet  switch  costs 
about  $280  per  port,  factoring  in 
modular  and  fixed-configura¬ 


tion  prices.  With  10G  still  costing 
about  three  times  as  much  as 
Gigabit  (on  a  per-Gigabit  basis), 
observers  say  we’re  still  a  way  off 
from  hitting  the  pricing  sweet 
spot. 

“There  hasn’t  been  much  wide¬ 
spread  interest  in  migrating  to 
[10G]  in  the  LAN  core,  other 
than  in  some  very  large  [col¬ 
lege]  campuses  and  research,” 
says  Lawrence  Orans,  principal 
analyst  with  Gartner.  Besides 
pricing,  the  need  for  10G  bit/sec 
of  bandwidth  simply  isn’t  there 
in  many  enterprise  backbones 
and  data  centers,  he  says.“A  giga¬ 
bit  is  still  a  lot  of  bandwidth  for 
many  companies,  and  it  is  still 
easy  to  trunk  together  two  or 
four  for  larger  connections.” 

The  development  of  10G  Ether¬ 
net  over  copper  cabling  could 
drive  further  adoption  of  10G, 
analysts  say.  The  IEEE  803.3ak 
standard  for  running  10G  over 
InfiniBand-style  CX4  cabling  was 
ratified  earlier  this  year,  and  so 
far  Cisco,  HR  Foundry  Chelsio 
and  Fujitsu  are  in  the  market. 

10G  Ethernet  over  copper  is 
good  “since  you  don’t  need  the 
expensive  optics  that  are 
required  with  other  [10G]  tech¬ 
nologies,”  says  Zeus  Kerravala,an 
analyst  with  The  Yankee  Group. 
“Copper  [10G]  Ethernet  is  a 
good  option  to  have  for  short 
data  center  links" such  as  switch- 
to-switch,  or  for  connecting 
servers  to  switches,  he  adds. 

This  is  the  aim  of  Chelsio  and 
Fujitsu  as  they  announce  a  co¬ 
developed  10G  switch/server 
NIC  product  this  week  at  the 
Supercomputing  2004  show  in 
Pittsburgh.  Chelsio,  which  intro¬ 
duced  optical  10G  Ethernet 
NICs  earlier  this  year,  is  the  first 
to  offer  a  server  NIC  based  on 
the  CX4  standard.  Fujitsu,  which 


mainly  manufactures  10G  com¬ 
ponents  used  by  switch  vendors, 
is  also  the  first  to  offer  a  fixed- 
configuration  all-copper  10G 
box,  with  six  10GBase-CX4  ports. 
These  NIC  and  switch  products 
are  targeted  at  large  data  center 
deployments,  or  server-cluster¬ 
ing  configurations  in  research 
laboratories. 

10GBase-CX4  uses  a  cumber¬ 
some  InfiniBand  cable,  with  a 
distance  limit  of  about  50  feet, so 
its  use  is  restricted  to  computer 
room  links,  where  racks  of  CPUs 
or  switches  are  close  together. 

“We’re  definitely  going  to  look 
at"  10GBase-CX4  switch  ports 
and  server  NICs,  says  Richard 
Nelson,  director  of  information 
processing  at  the  University  of 
Southern  California’s  Informa¬ 
tion  Sciences  Institute  (USC-ISI), 
a  computer  research  center. 

USC-ISI  runs  a  64-node  cluster 
of  Intel  machines  as  part  of  a 
Department  of  Homeland 
Security-sponsored  research 
project  called  Deter,  which  sim¬ 
ulates  how  viruses  attack  net¬ 
work  systems.  Nelson  says  that 
application  will  need  more 
bandwidth  very  soon,  and  cop¬ 
per  10G  Ethernet  seems  an 
inexpensive  way  to  connect 
machines,  rather  than  ex¬ 
pensive,  proprietary  server 
interconnect  technologies 
such  as  Myrinet  or  InfiniBand 
connectors. 

“Ethernet  is  more  adaptable 
than  those  things,” Nelson  says.“If 
I  have  to  take  apart  that  cluster 
some  day,  I  can  run  my  LAN  on 
the  [10GBase-CX4]  equipment. 
You  couldn’t  do  that  with  Infini¬ 
Band  or  Myrinet.”  ■ 
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■  Tandberg  last  week  rolled  out 
three  videoconferencing  appliances 
targeted  at  desktops  and  small  group 
conference  users.  The  devices  are 
capable  of  H.264  video  compression 
and  Advanced  Encryption  Standard. 
For  desktop  conferencing,  the  Tand¬ 
berg  150  is  a  self-contained  unit  that 
features  an  8.4-inch  LCD  screen,  built- 
in  high-resolution  camera,  speakers 
and  microphone.  The  150  can  handle 
calls  up  to  512K  bit/sec  over  an  IP 
connection.  Also,  Tandberg  is  intro¬ 
ducing  the  1500  MXP  and  2000  MXP 
units  for  individual  executives  and 
meetings  in  small  conference  rooms, 
respectively.  Tandberg  already  is  ship¬ 
ping  the  150, 1500  MXP  and  2000  MXP. 
The  150  is  costs  about  $3,000;  the  1500 
MXP  starts  at  about  $6,500;  and  the 
2000  MXP  starts  at  about  $13,000.  The 
optional  MCU  costs  $3,000. 

■  CommVault  this  week  is  expected 
to  introduce  its  next-generation  data 
management  software  that  lets  IT 
professionals  monitor,  track,  forecast 
and  manage  storage  resources. 
QiNetix  is  a  service-level  agreement 
management  package  that  now 
includes  Recovery  Director,  which 
provides  snapshot  back-up  capability; 
gives  a  single  view  of  snapshots;  and 
supports  EMC,  Hitachi  Data  System, 
Network  Appliance  file  servers  and 
devices  enabled  by  Microsoft’s  Virtual 
Shadow  Copy  Service.  With  Recovery 
Director,  IT  can  create,  manage  and 
synchronize  data  copies  with  multiple 
retention  and  availability  require¬ 
ments.  QiNetix  is  starts  at  $500  per 
server. 

■  Bocada  has  announced  a  new  ver¬ 
sion  of  its  back-up  reporting  software 
that  includes  automated  SLA  and 
compliance  verification  to  comply 
with  governmental  regulations. 
BackupReport  3.5  lets  customers 
put  rules  in  place  that  let  them  avoid 
penalties  associated  with  back-up 
failures  and  impaired  system  perfor- 
mance.The  new  version  includes  role- 
based  access  controls,  and  data 
vaulting  and  restoration  support.  The 
software  starts  at  $1,200  per  server. 


SonicWall  improves  virus  protection 

Latest  release  of  SonicOS  adds  anti-virus  screening  at  the  network  edge. 


■  BY  TIM  GREENE 

SonicWall  is  introducing  software  for  its 
VPN  appliances  that  lets  businesses 
screen  Internet  traffic  for  viruses  as  it 
enters  their  networks. 

Release  3.0  of  the  company’s  SonicOS 
software  equips  all  the  company’s  fire- 
wallWPN  gear  with  anti-virus  protection, 
although  the  amount  of  protection  varies 
depending  on  the  appliance.  The  Sonic¬ 
Wall  Pro  platforms  filter  against  virus 
24,000  signatures,  while  the  smaller  TZ 
platforms  filter  against  4,500. 

This  upgrade  puts  the  software  directly 
on  the  appliances,  creating  gateway  anti¬ 
virus  protection.  The  Network  Anti-virus 
service  makes  sure  desktop  virus-scan¬ 
ning  software  is  updated  properly  before 
the  desktop  can  connect  to  the  Internet. 

The  new  software  pits  SonicWall  against 
Fortinet  and  NetScreen  Technologies, 
both  of  which  offer  anti-virus  screening  as 
part  of  their  firewall/VPN  appliances. 

SonicWall  says  its  software  screens 
traffic  as  part  of  flows  rather  than  as 
individual  files  and  therefore  faces  no 
limits  on  the  number  of  files  it  can  han¬ 
dle  at  once. 

The  screening  also  can  be  performed 
between  LAN  zones  to  ensure  viruses 
infecting  one  network  segment  don’t 
reach  other  segments. 

This  type  of  protection  is  an  alternative 


to  more  sophisticated  —  and  more  expen¬ 
sive  —  proxy  firewalls,  says  Raymond 
Pompon,  a  network  security  consultant  for 
Conjungi  Networks  in  Seattle.  He  says 
another  alternative  is  to  put  anti-virus  soft¬ 
ware  on  all  desktops,  but  that  often  proves 
faulty  because  every  workstation  must 
defend  itself. 

“We  find  that  10%  to  15%  are  either 
misconfigured  or  not  updated,”  he  says, 
meaning  that  viruses  can  gain  a  foot¬ 
hold  in  corporate  networks.  Stopping 
them  at  the  firewall  adds  another  layer 
of  protection. 

The  software  also  updates  SonicWall’s 
intrusion-prevention  package  so  cus¬ 
tomers  can  break  users  into  groups  and 
assign  different  security  policies  to  the  dif¬ 
ferent  groups.  So  for  instance,  instant  mes¬ 
saging  might  be  approved  for  one  group 
but  considered  a  possible  intrusion  for 
another. 

SonicOS  3.0  also  supports  authentica¬ 
tion  via  Active  Directory  and  Lightweight 
Directory  Access  Protocol  directories, 
making  it  possible  to  reduce  the  work 
required  to  set  up  authentication  profiles 
for  VPN  remote  access  using  SonicWall 
gear  as  a  gateway 

The  software  supports  real-time  black 
list  services  —  checking  for  known  spam¬ 
mers  and  open  relays  via  DNS  queries 
and  blocking  those  that  have  been  black¬ 
listed.  Pompon  says  many  businesses  buy 


Multifunction  security 
appliance  growth 

A  host  of  factors  lead  to  the 
conclusion  that  appliances  that 
perform  multiple  security 
functions  such  as  firewall,  VPN, 
virus  protection  and  intrusion 
prevention  will  grow  in  popularity, 
according  to  IDC. 


•  IT  security  personnel  is  in  short 
supply. 

•  A  projected  tenfold  increase  in 
e-commerce  will  require  more 
security  for  smaller  businesses. 

•  Proliferation  of  access  devices  — 
handhelds,  phones,  laptops  —  will 
increase  threat  from  malicious 
traffic. 


Ease  of  deploying  appliances  will 
make  them  an  alternative  to 
deploying  security  software  on 
servers. 


separate  spam-blocking  gear,  but  it  can  be 
beyond  the  means  of  many  small  to  mid¬ 
size  businesses. 

The  new  software  is  sold  with  new  pur¬ 
chases  of  SonicWall’s  latest  hardware.  B! 


EMC  previews  virtualization  appliance 


■  BY  DENI  CONNOR 

EMC  has  previewed  its  upcoming 
Storage  Router,  code-named  Fabric  X, 
which  customers  can  use  to  non-disrup- 
tively  move  or  replicate  data  from  one  het¬ 
erogeneous  storage  array  to  another  for 
disaster  recovery  or  information  life-cycle 
management. 

The  router,  which  was  demonstrated  at 
the  recent  Storage  Networking  World, 
consists  of  software  that  resides  on  a 
Brocade,  McData  or  Cisco  Fibre  Channel 
switch  and  a  dual-node  cluster  of  Intel 
servers  called  control  path  processors 
that  connect  to  the  fabric  switch  and  act 
as  a  metadata  repository.  The  control 
path  processors  organize  and  keep  track 
of  the  location  of  data  in  the  virtualized 


pool  of  storage. 

Storage  Router  virtualizes  or  pools  data 
so  it  can  be  acted  on,  managed  and 
moved  from  one  array  to  another. 
According  to  EMC,  Storage  Router  will  vir¬ 
tualize  data  on  EMC.  IBM,  HP  and  Hitachi 
high-end  and  midrange  storage  arrays. 

EMC  demonstrated  a  volume  containing 
a  200M-byte  movie  clip  being  moved 
between  an  HP  Enterprise  Virtual  Array 
(EVA)  5000  and  an  EMC  Clariion  CX  500 
connected  by  both  the  Brocade  Silkworm 
Fabric  Application  Platform  AP7420  and  a 
Cisco  MDS  9216  MultiLayer  Fabric  Switch. 
McData  also  is  expected  to  be  able  to  host 
Storage  Router  later  next  year. 

The  migration  from  the  EVA  to  the 
CX500  occurred  while  the  movie  was 
running. 


Replication  across  distance  and  snap¬ 
shot  backups  between  heterogeneous 
arrays  is  a  goal  of  Storage  Router,  EMC 
says.  EMC  also  expects  to  use  Storage 
Router  to  dynamically  reconfigure  equip¬ 
ment  and  to  copy  data  from  one  device  to 
another  for  availability. 

EMC  is  not  the  only  vendor  in  the  virtual¬ 
ization  market.  IBM  has  its  SAN  Volume 
Controller  (SVC)  software,  which  resides 
on  an  appliance,  fueled  with  a  pair  of  dual- 
Xeon  servers.  The  SVC,  which  attaches  to 
the  Fibre  Channel  switch,  also  can  be 
installed  on  Cisco’s  MDS  9000  Multilayer 
director-level  switch.  Hitachi  also  recently 
announced  heterogeneous  virtualization 
of  the  Fibre  Channel  fabric  via  controllers 
integrated  into  its  recently  introduced 

See  EMC,  page  18 
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Storage  deconstructed:  A  black  box  no  more 


Little  by  little, “convergence” is  helping 
us  take  apart  the  myriad  black  boxes 
that  have  constituted  IP  infrastruc¬ 
ture  over  the  years,  and  rebuild  them  as 
infinitely  more  flexible,  open  and  eco¬ 
nomical  systems.  Just  as  VoIP  is  being  gen¬ 
erally  accepted  as  “mainstream,"  the  stor¬ 
age  arena  seems  to  be  blossoming  —  and 
demanding  our  attention. 

For  us  overworked  IT  infrastructure  peo¬ 
ple,  I  suppose  we  should  be  happy  that 
this  is  happening  in  successive,  smaller 
waves  rather  than  a  tsunami.  But  just  as  we 
are  getting  ourVolP  migrations  under  con¬ 
trol,  we  have  the  gleaming  vision  of  the 
“brave  new  world”  of  storage. 

There  is  something  to  be  said  for  the 
days  when  PBXs  were  black  boxes  —  fed 


and  cared  for  by  an  army  of  technicians 
from  the  AT&Ts  and  the  Northern 
Telecoms  of  the  world.  All  IT  managers 
had  to  do  was  pay  the  bills.  And  because 
each  system  was  a  tightly  bundled,  propri¬ 
etary  affair,  network  specialists  had  little 
or  nothing  to  do  with  it. 

Not  too  long  ago,  the  deconstruction  of 
that  “black  box”  forced  us  to  expand  our 
knowledge  of  voice-specific  terminolo¬ 
gy.  Although  common  lingo  today,  terms 
like  vocoder,  G.711  and  PESQ/PSQM 
were  enough  to  make  most  of  our  eyes 
glaze  over. 

Now  that  storage  is  moving  to  center 
stage, so,  too,  does  another  set  of  terms  and 
acronyms.  Fortunately,  it  is  not  as  esoteric 
as  VoIP 

Still,  as  with  the  old  PBX,  living  in  the 
age  of  black  box,  single-vendor,  propri¬ 
etary  storage  subsystems  simplified  life  a 
bit  (or  a  byte)  .Yes,  you’d  have  to  choose 
your  vendor,  but  beyond  haggling  over 
“cost  per  terabyte”  there  was  relatively  lit¬ 
tle  left  to  do. 


As  with  the  closed  PBX-to-open-VoIP 
progression,  we’ll  ultimately  be  better 
off  with  deconstructed  storage.  But, 
as  with  VoIP  the  burden  is  placed  on 
the  IT  architects  and  technologists  to 
understand  fully  the  internal  elements 
of  storage. 

If  you’d  managed  up  to  now  to  avoid 
having  to  learn  much  about,  say,  Fibre 
Channel,  SCSI  and  iSCSI,  then  be  put  on 
notice  that  you  already  might  be  starting 
to  fall  behind.  If  LUN,  SATA  and  LTO 
mean  nothing  to  you  or  the  word 
“petabyte”  hasn’t  yet  entered  your  vocab¬ 
ulary,  then  sit  up  and  take  notice.  The 
storage  steamroller  is  heading  at  you. 

Even  if  you  are  reading  this  and  thinking 
“Not  me,  I’m  fine;  my  job  is  the  network, 
someone  else  has  to  deal  with  storage,” 
you’d  be  wrong. The  “storage  people”  have 
their  eye  on  your  network.  After  all,  the 
next  step  of  “convergence”  has  storage 
slated  to  run  over  a  standard  TCP/IP  and 
Gigabit/ 10  Gigabit  infrastructure. 

1  recently  attended  Storage  Networking 


World  (www.snwusa.com),  where,  among 
other  topics,  there  was  a  great  deal  of  dis¬ 
cussion  about  distributed  file  systems  and 
replication.  Now  while  much  of  this  will 
take  place  in  the  “back  end”  over  Fibre 
Channel  networks  or  dedicated  10 
Gigabit-Gigabit  Ethernet  links,  that  is  not 
always  the  case. 

Some  offerings  are  targeted  at  LAN- 
and  even  WAN-based  replication.  While 
do-able,  a  “too  quick”  convergence  of 
bandwidth-hungry  storage  on  top  of 
latency-sensitive  VoIP  could,  without 
proper  QoS  and  bandwidth  manage¬ 
ment,  lead  your  network  to  a  conver¬ 
gence  breakdown  —  and  you  to  a  ner¬ 
vous  breakdown. 

So  if  the  network  is  in  any  way  part  of 
your  job  responsibility,  storage  better  be 
on  your  radar  screen. 

Tolly  is  president  of  The  Tolly  Group,  a 
strategic  consulting  and  independent  test¬ 
ing  company  in  Boca  Raton ,  Fla.  He  can  be 
reached  at  ktolly@tolly.com. 


Proxim  charts  fixed  wireless  path  to  WiMAX 


■  BY  JOHN  COX 

Looking  to  help  provide  users  with  more 
powerful  wireless  products  and  services, 
Proxim  has  unveiled  a  ruggedized  version 
of  its  Tsunami  MP1 1  point-to-multipoint 
base  station  and  software. 

The  Tsunami  MP11  5054-R  model  comes 
with  a  rugged  enclosure  that  protects 
against  temperature  extremes,  rain  and 
dust.  The  radio  can  create  up  to  20  non¬ 
overlapping  channels  in  three  bands  in 
the  5-GHz  frequency  The  base  station  still 
uses  Proxim’s  proprietary  radio.  But  the 
system  software  is  being  changed  to  sup¬ 
port  features  found  in  the  WiMAX  stan¬ 
dard,  also  known  as  802.16-2004.  The 
change  is  expected  to  be  complete  next 
year,  when  WiMAX  radios  become  avail¬ 
able  to  replace  existing  transmitters. 

The  box  uses  Proxim’s  own  routing  pro¬ 
tocol  and  other  features  to  sustain  band¬ 
width  over  long  distances.  The  maximum 
data  rate  is  54M  bit/sec,  but  maximum 
throughput  is  34M  bit/sec  over  1  to  4 
miles,  according  to  Ben  Gibson,  vice  pres¬ 
ident  of  corporate  marketing  at  Proxim. 

The  5054-R  model  is  aimed  at  corpora¬ 
tions,  municipalities  and  service  providers 
that  need  high-bandwidth  wireless  capac¬ 
ity  over  several  miles,  with  a  view  to 
migrating  these  deployments  to  WiMAX  in 
2005,  according  to  Gibson. 

The  base  station’s  software  supports  a 
number  of  WiMAX  features,  such  as  band¬ 
width  provisioning  and  mobile  roaming. 
“We’re  offering  software  that  enables 
WiMAX-like  applications,”  Gibson  says. 
“Our  customers  can  standardize  on  our 
platform,  and  we’ll  work  with  them  on  a 
commercial  upgrade  strategy”  to  WiMAX. 


fcfc  A  standard  like  WiMAX 
makes  these  products 
cheaper  and  easier  to 
deploy.  99 

Lindsay  Schroth 

Senior  analyst,  The  Yankee  Group 


Analysts  say  Proxim’s  approach  shows 
how  fixed  wireless  vendors  are  charting  a 
migration  path  for  customers  from  today’s 
proprietary  radios  to  radios  that  support 
the  WiMAX  standard. 

When  WiMAX  radios  are  available,  ser¬ 
vice  providers  and  enterprise  users  will  be 
able  to  change  the  radios  without  having 
to  change  the  software.  “Even  if  the  hard¬ 
ware  changes,  the  software  stays  the  same 
and  is  still  familiarj’says  Lindsay  Schroth,  a 
senior  analyst  at  The  Yankee  Group.  “It’s  a 
pretty  good  strategy” 

Schroth  says  she  expects  to  see  such 
products  from  Proxim, Varian  and  others, 
in  the  first  wave  of  certification  by  the 
WiMAX  Forum  early  next  year. 

As  Schroth  points  out,  proprietary  fixed 
wireless  products  have  been  around  for 
a  long  time,  but  without  ever  becoming  a 
market  big  enough  to  challenge  other 
broadband  options  such  as  cable  or 
DSL.  With  the  enthusiastic  backing  of 
WiMAX  Forum  members  such  as  Intel, 
the  WiMAX  standard  will  become  more 
important  for  wireless  broadband,  espe¬ 
cially  where  a  wireline  infrastructure  is 
limited  or  non-existent. 


“We’re  seeing  North  American  wireless 
ISPs  using  this  technology  to  fill  in  gaps 
where  DSL  or  cable  are  not  available,” 
Schroth  says.  “A  standard  like  WiMAX 
makes  these  products  cheaper  and  easier 
to  deploy” 

Starting  in  2006  or  2007, Schroth  predicts 
that  big  carriers  such  as  Sprint  will  deploy 
the  mobile  version  of  WiMAX,  802.1 6e  (for¬ 
merly  16a).  WiMAX  radios  mounted  in 
vehicles  or  in  other  client  devices  will  be 
able  to  maintain  high-bandwidth  connec¬ 
tions  with  a  surrounding  WiMAX  radio 
infrastructure  that  might  supplement  a 
carrier’s  cellular  network. 

The  MP1 1  Model  5054-R  is  available  now. 
The  base  station  costs  about  $2,000;  the 
subscriber  unit  is  available  in  two  models, 
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continued  from  page  17 
TagmaStore  array 

Analysts  question  where  virtualization 
should  reside. 

“A  fabric-  or  appliance-based  approach 
that  is  a  part  of  the  fabric  is  the  best 
approach,”  says  Stephanie  Balaouras,  ana¬ 
lyst  for  The  Yankee  Group.  “A  storage 
router/appliance  approach  would  be  less 
expensive  than  an  array  approach  like 
Hitachi’s,  which  locks  the  user  into  using 
Hitachi  gear.  However,  for  consolidation 
and  tiering  of  storage,  Hitachi’s  approach 
makes  a  lot  of  sense.” 

The  highlight  of  Storage  Router  is  its 
ability  to  perform  operations  without 
taking  down  applications  or  affecting 
the  state  of  the  network.  Data  integrity  is 
ensured  and  users  will  not  see  any  dis- 


one  with  an  integrated  antenna  priced  at 
about  $1,200,  the  other  with  just  a  Type-N 
Connector  for  a  third-party  antenna 
priced  at  about  $1,000. 

Proxim  also  announced  the  Tsunami 
QuickBridge  II,  a  wireless  outdoor  bridge 
in  the  5-GHz  band,  with  throughput  up  to 
36M  bit/sec  over  about  1  mile;  and  the 
Tsunami  GX  32  and  GX  90  point-to-point 
wireless  Ethernet  bridges,  also  in  the  5- 
GHz  band. The  GX  32,  with  twoTi/Ei  inter¬ 
faces,  supports  16M  bit/sec  at  full-duplex; 
the  GX  90  up  to  45M  bit/sec.  Both  have  a 
range  of  up  to  8  miles. 

The  QuickBridge  product  costs  about 
$6,500,  or  about  $8,000  with  two  T-l/E-1 
interfaces;  the  GX32  costs  about  $7,400; 
the  GX  90  costs  about  $11 ,400.  ■ 


ruption  of  operations. 

Storage  Router  is  expected  to  conform 
to  the  Fabric  Application  Interface 
Standard,  a  common  API  for  implement¬ 
ing  storage  applications  in  a  storage  net¬ 
working  environment. 

The  router  is  considered  to  be  an  out- 
of-band  appliance  as  it  relies  on  the 
Fibre  Channel  switch  to  handle  as  much 
as  99%  of  the  I/O  operations.  It  is  expect¬ 
ed  to  perform  at  30,000  to  40,000  I/Os 
per  second. 

Storage  Router  is  in  beta  test  now,  with 
EMC  expecting  it  to  be  generally  available 
in  the  first  half  of  2005.  ■ 


Storage 
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Mr.  500  Servers 
in  156  Countries 
Managed  from 
1  Location 


Department  of 
Foreign  Affairs, 
Switzerland 


Make  a  name  for  yourself  with  Windows  Server  System.™  Microsoft  Windows  Server  System  makes  it 
easier  for  Switzerland's  Federal  Department  of  Foreign  Affairs  (DFA)  to  manage  the  infrastructure  serving 
their  embassies  and  consulates  in  156  countries.  Here's  how:  By  using  Systems  Management  Server  2003 
and  Microsoft  Operations  Manager  2005,  DFA  can  automatically  update  its  500  remote  servers  from  a 
central  location,  saving  over  $600,000  in  travel  expenses  alone  in  the  past  year.  They've  also  been  able  to 
reduce  the  time  and  cost  of  maintenance,  boost  user  productivity,  and  find  the  time  to  better  prepare  for 
expansion.  Software  that's  easier  to  manage  is  software  that  helps  you  do  more  with  less.  To  get  the  full 
DFA  story  or  to  find  a  Microsoft  Certified  Partner,  go  to  microsoft.com/wssystem 


Microsoft 


Windows 
Server  System 


We  have  3,000  PCs  based  everywhere  from 
Argentina  to  Vietnam,  and  now  our  team  can 
update  them  all  from  headquarters." 

Viktor  Portmann 

Project  Manager,  Deportment  of  Foreign  Affairs,  Switzerland 
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Five  of  Wall  Street’s  most  prestigious  financial  institutions  knew  exactly  what  they  wanted  from  an  enterprise  solution.  More 
productivity,  to  keep  up  with  an  ever-changing  global  market.  And  real-time  flexibility,  to  go  from  32-  to  64-bit  applications 
without  disrupting  their  business.  They  found  both  in  the  AMD  Opteron™  processor  with  Direct  Connect  Architecture.  It 
powers  the  world’s  highest  performing  x86  2-way  and  4-way  servers.  And  it  helps  speed  up  millions  of  financial  transactions 
every  day  in  trading  stations  and  server  farms.  At  AMD,  we  believe  it’s  critical  that  technology  should  migrate  on  your  terms  to  help  you 
realize  your  unique  vision.  It’s  one  of  the  reasons  why  HP,  IBM  and  Sun  offer  enterprise-class  solutions  powered  by  AMD  Opteron  processors. 
Would  you  like  to  learn  just  how  much  of  a  difference  they  can  make  to  your  company?  Go  to  www.amd.com/enterprise 


£>  2004  Advanced  Micro  Devices.  Inc.  All  rights  reserved.  AMD.  the  AMD  Arrow  logo.  AMD  Opteron,  the  AMD  Opteron  logo  and  combinations  thereof  are  trademarks  of  Advanced  Micro  Devices.  Inc.  Other  names  are  for  ■identification  purposes -0 
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■  PORTALS  ■  MESSAGING/GROUPWARE 

■  E-COMMERCE  ■  SECURITY 

■  MIDDLEWARE  ■  DIRECTORIES 

■  NETWORK  AND  SYSTEMS  MANAGEMENT 

■  WEB  SERVICES 


■  Veritas  Software  last  week  an 
nounced  a  new  version  of  its  Op- 
Force  provisioning  software 
designed  to  make  it  easier  for 
administrators  to  install  and  man¬ 
age  applications  and  server  operat¬ 
ing  systems.  OpForce  4.0  is  based 
on  software  acquired  in  Veritas' 

2002  purchase  of  Jareva,  and  the 
release  represents  the  first  time  the 
software  can  be  used  to  manage 
and  set  up  applications  and  operat¬ 
ing  systems.  OpForce  4.0  features 
tighter  integration  with  BEA 
Systems'  WebLogic  application 
server.  This  means  WebLogic  users 
will  be  able  to  use  features  such  as 
pre-configured  templates  to  more 
easily  manage  their  software  for 
use  with  OpForce.  Support  for 
OpForce  has  been  integrated  into 
WebLogic  8.1  Service  Pack  3,  BEA 
says.  OpForce  can  be  used  to  provi¬ 
sion  any  application  and  a  variety  of 
operating  systems,  including  Win¬ 
dows,  Linux,  Solaris  and  AIX,  Veritas 
said.  The  software,  scheduled  to 
ship  this  month,  comes  with  a  man¬ 
agement  server  that  costs  $7,500. 
Users  must  pay  another  $500  per 
processor  on  servers  that  are  man¬ 
aged  by  OpForce. 

■  Netspoke,  in  an  effort  to  add 
streaming  media  technology  to  its 
conferencing  portfolio,  last  week 
acquired  the  software  assets  of 
e-StudioLive  for  an  undisclosed  sum. 
E-StudioLive  began  life  offering  a 
hardware-based  appliance  for  cap¬ 
turing  and  creating  streaming  media 
presentation  that  included  audio, 
video  and  slides.  The  company  was  in 
the  process  of  developing  a  soft¬ 
ware-only  application  but  never 
released  it.  Netspoke,  which  offers 
audio,  Web  and  video  conferencing 
services  and  competes  with  the  likes 
of  WebEx  Communications  and 
Genesys  Conferencing,  bought  just 
the  software  technology  but  no  phys¬ 
ical  or  personnel  assets  from  the 
company.  Netspoke  plans  to  inte¬ 
grated  the  streaming  creation  and 
management  technology  into  its  ser¬ 
vice  offering  early  next  year. 


IPLocks  reinforces  security  tool 


■  BY  ELLEN  MESSMER 

Looking  to  help  users  protect  corporate 
assets  from  theft,  fraud  and  other  abuse, 
database-security  software  vendor  IP¬ 
Locks  this  week  announced  a  new  ver¬ 
sion  of  its  database  monitoring,  assess¬ 
ment  and  analysis  tool. 

The  IPLocks  software,  which  runs  on  a 
32-bit  Linux  or  Windows  server  inside 
the  network  to  check  each  corporate 
database,  now  supports  IBM’s  DB2  and 
Microsoft  SQL  7  databases.The  company 
already  supported  Oracle,  Sybase  and 
other  databases. 

The  IPLocks  database-security  tool 
only  scans  for  vulnerabilities  and 
checks  that  user  permission  and 
accounts  are  configured  properly.  It 
reports  on  whether  data  corruption 
affected  a  particular  transaction  or  if 


The  real  IP 

IPLocks  was  founded  in 
January  2002  in  Japan  by 
Akio  Sakamoto,  its  CEO,  and 
the  name  refers  to  locking 
down  intellectual  property, 
not  the  Internet  Protocol. 


user  behavior  violated  security  policy. 

In  addition  to  supporting  a  wider  range 
of  databases,  IPLocks  4.2  provides  a  way 
to  do  customized  procedural-language- 
based  scans  written  in  PL/SQL  and 
Transact/SQL  scripts,  says  Adrian  Lane, 


CTO  at  IPLocks. 

Western  Corporate  Federal  Credit  Union 
(WesCorp),  which  has  $25  billion  in  assets 
and  provides  back-office  management  ser¬ 
vices  to  about  1,000  credit  unions,  uses 
IPLocks  to  monitor  user  behavior  and  per¬ 
form  vulnerability  checks  for  several  data¬ 
bases,  such  as  SQL  Server,  DB2  and  Oracle. 

“It  gives  us  a  good  understanding  of  who 
is  accessing  data,  and  why  and  when,  and 
that  also  could  be  a  machine  and  soft¬ 
ware  process  as  well,” says  Chris  Hoff, chief 
information  security  officer  at  WesCorp  in 
San  Dimas,  Calif.  Hoff  says  IPLocks  can 
notify  him  by  e-mail  about  anything  that 
appears  to  fall  outside  of  set  policy 

Guardium,  Lumigent,  Internet  Security 
Systems  and  Application  Security  offer 
competing  database  scanners  and  audit 
tools. 

IPLocks  costs  $3,000  per  database.  ■ 


Reactivity  enhances  Web  gateway  OS 

XOS  4.1  can  boost  throughput,  adds  support  for  SAML-based  security  tokens. 


■  BY  JOHN  FONTANA 

Reactivity  this  week  is  set  to  release  op¬ 
erating  system  enhancements  for  its  Web 
services  security  gateway  intended  to  pro¬ 
vide  corporations  with  the  performance 
and  interoperability  they  need  to  expand 
Web  services  deployments  across  their 
own  networks  or  through  projects  with 
partners. 

The  company’s  XML  Operating  System 
(XOS)  4.1  boosts  throughput  to  440M 
byte/sec  within  the  Reactivity  Gateway  soft¬ 
ware.  With  the  addition  of  Tarari’s  silicon- 
based  XML  content-processing  engine, 
throughput  can  reach  gigabit  speeds. 

Reactivity  also  has  added  to  the  software 
schema  and  Simple  Object  Access 
Protocol  (SOAP)  header  management  fea¬ 
tures  and  enhanced  its  interoperability 
with  security  tokens  based  on  the  Security 
Assertion  Markup  Language  (SAML). 

“With  the  dynamic  nature  of  the  stan¬ 
dards,  it  is  vital  that  Reactivity  keep  up  with 
them  and  they  have  been  doing  a  good  job 
with  it,”  says  Christopher  Crowhurst,  vice 
president  and  principal  architect  for 
Thomson  Learning  in  Stamford,  Conn., 
which  develops  learning  materials  for  indi¬ 
viduals,  businesses  and  academic  institu¬ 
tions  around  the  world.Thomson  is  testing 
SAML  as  a  means  to  pass  around  policies 


such  as  encryption  and  certification 
requirements  and  authentication  data  as 
part  of  its  Web  services  infrastructure. 

“We  tested  SAML  against  more  systems,” 
says  John  Lilly  CTO  of  Reactivity. “The  stan¬ 
dard  is  mostly  specific  enough  but  there  is 
still  enough  variance  between  the  different 
vendors  that  we  assured  interoperability 
with  our  SAML  engine.” 

Lilly  says  that  engine  can  validate  SAML 
assertions,  insert  SAML  assertions  into  XML 
message  streams  or  call  out  to  get  a  SAML 
assertion  from  another  system. 

New  with  Version  4.1  is  a  schema  man¬ 
agement  feature  that  lets  users  bundle  any 
number  of  requests  for  schema  documents 
into  one  message  instead  of  making  each 
request  individually. 

The  feature  is  aimed  at  speeding  the  pro¬ 
cessing  of  schema  documents.  In  addition, 
the  new  SOAP  Header  Processing  feature 


lets  users  require,  reject,  filter  and  transform 
SOAP  headers  regardless  of  where  they 
originate,  and  a  testing  feature  lets  devel¬ 
opers  test  services  with  the  Gateway  before 
they  go  live. 

Reactivity’s  gateway  and  XML  accelera¬ 
tion  products  compete  with  the  likes  of 
DataPower,  Sarvega,  Forum  Systems  and 
Actional,  which  recently  acquired 
Westbridge  Technologies. 

Reactivity  also  has  added  support  for  all 
four  SAML  token  formats  described  in  the 
WS-Security  specification.  Reactivity  tested 
the  feature  against  SAML  implementations 
from  Sun,  RSA  Security,  IBM  and  Netegrity 
which  Computer  Associates  recently 
acquired.  Next  spring,  Reactivity  plans  to 
add  support  for  SAML  2.0,  which  now  is 
awaiting  final  standards  approval. 

The  Reactivity  Gateway  with  XOS  4.1 
costs  $65,000.  ■ 
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NSA  Projects,  Manhattan  and  otherwise 


The  U.S.  National  Security  Agency 
does  not  see  its  mission  as  being  lim¬ 
ited  to  peering  through  keyholes  to 
figure  out  what  “the  other  guys”  are  up  to. 
The  NSA  also  tries  to  protect  our  cyber 


shores  from  attack.  This  part  of  NSAs  mis¬ 
sion  is  far  from  new,  but  it  got  some  inter¬ 
esting  and  maybe  confused  press  recently 
The  NSA  has  been  telling  people  how  to 
think  about  computer  security  at  least  since 
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Experience  Everything  WLANs  Can  Do  — - 
With  Chantry  Networks 

The  potential  of  wireless  technology  for  enhancing  all  aspects 
of  our  lives  is  absolutely  staggering.  Unfortunately,  given  their 
limited  capabilities,  many  of  today's  wireless  networking 
solutions  leave  this  potential  essentially  unfulfilled. 

But  Chantry  Networks  has  changed  all  that. 

Right  now,  we're  delivering  nothing  less  than  true 
wireless  mobility.  Chantry's  BeaconWorks™  product  suite 
provides  the  industry's  top  mobile  user  management  system 
that  securely  integrates  with  existing  IP  networks  to  offer; 

•  Superior  performance  in  scale,  capacity  and 
throughput  for  "always  on"  voice,  data  and  video 
connectivity  —  seamlessly  —  regardless  of  user  location 

•  Plug-and-play  design  and  out-of-the  box 
compatibility  that  leverages  investments  in  existing 
networks  and  VPNs  —  for  optimized  TCO 

•  Simplified  network  management  through  network 
virtualization  that  allows  unparalleled  management, 
security,  quality  of  service  and  flexible  ipploymajt 
models  to  maximize  effectiveness  of  applications  and 
the  mobile  user's  wireless  experience 

Visit  www.chantrvnetworks.com  to  learn  how  BeaconWorks 
can  help  you.  After  all,  there's  a  lot  to  be  said  for  true 
wireless  mobility  ...  and  that's  why  we've  done  more  than  just 
talk  about  it. 


Delivering  on  the  promise  of  true  wireless  mobility 


the  early  1980s.  The  original  Trusted 
Computer  System  Evaluation  Criteria  (aka 
the  Orange  Book)  was  published  in  1983, 
and  since  then  the  NSA  has  published  vari¬ 
ous  documents  to  help  people  evaluate  the 
security  of  systems  or  to  configure  systems 
in  the  most  secure  way  that  can  be  done 
considering  the  underlying  operating  sys¬ 
tem.  For  example,  the  NSAs  Central  Security 
Service  has  an  online  repository  of  more 
than  70  guides  for  configuring  PCs,  routers 
and  more.The  latest  batch  includes  one  for 
configuring  Apple  OSX  systems  (see 
wwwnwfusion.com,  DocFinder:  4536). 

In  mid-October  Daniel  Wolf,  the  NSAs 
information  assurance  director, spoke  at  the 
Microsoft  Security  Summit  East.  Wolf  talked 
about  a  number  of  things,  but  different  ears 
seem  to  have  focused  on  different  things  he 
said  or  maybe  overinterpreted  his  words. 

The  official  NSA  press  release  (Doc- 
Finder:  4537)  focused  on  Wolf’s  enthusiasm 
for  vendors’  “progress  and  future  plans  to 
enhance  the  security  of  operating  systems 
and  desktop  applications”  and  the  fact  that 
“the  onus  is  now  on  the  users”  to  do  their 
part  by  “applying  the  latest  patches  and 
software  updates.”This  report  says  Wolf  also 
mentioned  two  efforts  that  the  NSA  is 
engaged  in  to  promote  the  development  of 
security  criteria  and  for  security  testing. 

The  latter  project  has  tested  and  ranked 
the  security  of  a  large  number  of  products. 
I  am  not  all  that  sure  the  reporters  from 
Federal  Computer  Week  and  Government 
Computer  News  went  to  the  same  talk 
described  in  the  NSA  press  release  or  that 
they  went  to  the  same  talk  as  each  other, 
even  though  they  both  wrote  about  a  mid- 
October  speech  by  Wolf.  The  Government 
Computer  News  reporter  focused  on  the 
NSAs  development  of  a  “three-phase  archi¬ 
tectural  plan  for  secure  worldwide  data 
sharing”  among  intelligence  agencies  and 
the  military  She  also  mentioned  in  passing 
a  possible,  but  yet  unfunded,  office  to  push 
high-assurance  software  that  she  quoted 
Wolf  as  saying  would  be  a  modern  equiva¬ 
lent  of  the  World  War  II  Manhattan  Project. 
The  reporter  for  Federal  Computer  Week 
made  the  unfunded  office  the  focus  of  her 
report,  noting  that  it  would  be  a  govern¬ 
ment-funded  research  center  “devoted  to 
improving  the  security  of  commercial  soft¬ 
ware.”  She  also  included  mention  of  gov¬ 
ernment  concern  over  the  offshore  devel¬ 
opment  of  much  of  the  next  generation  of 
commercial  software. 

So  maybe  the  NSA  is  planning  a  new 
Manhattan  Project  and  maybe  it  is  not.  In 
any  case,  the  agency  continues  to  crank 
out  useful  work. 

Disclaimer:  Harvard’s  expansion  into 
Allston,  Mass.,  might  be  almost  as  expen¬ 
sive,  in  non-constant  dollars,  as  the  original 
Manhattan  Project  but  it  will  be  nowhere 
as  secret  (at  least  going  forward).  But  the 
above  commentary  is  my  own. 

Bradner  is  a  consultant  with  Harvard 
University’s  University  Information  Systems. 
He  can  be  reached  at  sob@sobco.com. 
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The  choice  is  clear  for  7,000  enterprise  networks.  Fast  Business  is  the  only  option. 


For  faster  applications  and  total  control,  move  quickly.  Only  Racketeer  delivers  Fast  WANs. 
Bring  your  WAN  up  to  speed  now.  Move  fast,  get  the  "7  Steps  to  WAN  Optimization" 
Pocket  Guide.  Go  to  www.packeteer.com/fast  or  call  1-800-493-4474  today. 
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Deployment  options  put  speech  within  reach 


a  BY  ANN  BEDNARZ 

People  who  want  to  build  a  new  home  can  hire  an 
architect  to  design  a  one-of-a-kind  custom  dwelling, 
pick  from  a  range  of  stock  house  plans  or  buy  pre¬ 
fabricated  house  parts  ready  for  the  field.  Deciding  which 
is  the  right  way  to  go  depends  on  schedules  and  budget, 
among  other  factors. 

Companies  in  the  market  for  new  call  routing  and  self- 
service  speech  applications  have  similar  options  at  their 
disposal.  Like  home  construction  alternatives,  today’s 
speech  deployment  options  range  from  the  custom-built 
to  the  pre-built.  It’s  different  from  in  the  past,  when  com¬ 
panies  had  little  choice  but  to  develop  speech  applica¬ 
tions  using  one  vendor’s  proprietary  platform  and  tools 
—  aided  in  many  cases  by  an  army  of  consultants. 

Today  corporate  buyers  can  sacrifice  application  cus¬ 
tomization  and  complexity  in  favor  of  configurable,  pack¬ 
aged  offerings,  often  geared  to  specific  vertical  markets. 
ScanSoft,  for  example,  offers  SpeechPaks  tailored  for 
healthcare  and  utility  companies  that  combine  design 
templates, standard  call  flows,  dialog  components  and 
pre-recorded  voice  prompts. 

In  addition,  the  advent  of  standards  such  asVoiceXML 
and  the  Microsoft-backed  Speech  Application  Language 
Tags  is  letting  users  develop  applications  that  can  be  port¬ 
ed  from  one  vendor’s  platform  to  another. 

Users  are  buying  into  the  idea,  analysts  say  According  to 
Gartner,  50%  of  voice  application  development  will  be 
based  on  platform-independent  application  development 
tools  by  year-end  2006. 

At  the  same  time,  outsourced  services  from  vendors 
such  asTellme  Networks  and  NetByTel  are  getting  the 
attention  of  companies  that  want  to  avoid  the  capital 
expenditure  required  for  traditional  voice  technologies 
deployed  in-house. 

Taken  together,  these  trends  are  driving  up  demand  for 
voice-enabled  technologies.  According  to  Datamonitor, 
global  voice  business  revenue  totaled  more  than  $800 
million  in  2003  and  is  expected  to  hit  $1  billion  this  year 
and  $1.3  billion  by  the  end  of  2005. 

Speech  in  small  doses 

WageWorks.com’s  experience  is  typical  of  a  midsize 
business  that  wants  speech-enabled  applications  but  is 
held  back  by  the  cost  of  entry.  Randy  Rubingh,  director  of 
customer  service  at  the  San  Mateo,  Calif.,  benefits  admin¬ 
istration  company,  had  been  looking  to  invest  in  a  tradi¬ 
tional  interactive  voice  response  (IVR)  platform  but 
found  the  technology  too  expensive  for  his  company’s 
budget  and  too  specialized  for  existing  staff  to  manage. 

“Not  only  was  the  expense  of  paying  $150,000  or 
$250,000  for  an  IVR  system  too  much  for  a  company  of 
our  size,  but  we  also  would  have  had  to  hire  another  tele¬ 
com  person,”  Rubingh  says. 

He  found  an  alternative  in  Angel.com,  which  develops 
and  hosts  IVR  applications  for  tasks  such  as  resetting 
passwords,  placing  an  order  and  conducting  speech- 
enabled  phone  surveys.  Angel’s  hosted  model  gives 
WageWorks  the  tools  to  build  and  deploy  its  IVR  applica¬ 
tions,  billed  on  a  pay-as-you-go  basis. 

WageWorks  is  using  Angel’s  services  to  automate  certain 
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Getting  speech  savvy 

Companies  planning  to  deploy  automated 
speech-recognition  technology  need  a  clear 
plan,  Gartner  says.  Here  are  some  of  the 
research  firm’s  tips  for  devising  an 
enterprise-wide  speech  strategy. 

• 

Institute  an  advisory  group  to  assess  business 
units'  needs  for  enterprise  speech  technology  and 
applications. 

• 

Prioritize  opportunities  to  use  automated  speech- 
recognition  applications. 

• 

Consider  options  to  consolidate  corporate  toll- 
free  numbers. 

• 

Use  specialists  with  proven  experience  in 
designing  voice  user  interfaces. 

• 

Define  guidelines  for  purchasing  speech 
technology. 

• 

For  the  first  rollout,  pick  applications  that  make  a 
difference,  but  don't  pick  the  most  mission-critical 
applications. 

- 

benefits-related  functions.  For  example,  customers  can 
enroll  in  new  services  or  check  the  status  of  pending 
claims  using  speech  commands. 

For  Rubingh,  one  important  feature  is  the  ability  to 
make  application  changes  through  a  Web  browser.  Wage- 
Works  can  upload  its  own  recordings  and  modify  call 
flows,  for  example,  on  the  fly  With  other  hosted  services, 
the  company  would  have  to  make  change  requests  and 
wait  for  the  provider’s  technicians  to  make  the  changes, 
Rubingh  says. 

In  return,  Angel  collects  per-minutes  charges.  Service 
costs  start  at  $40  per  month  for  the  tools  needed  to  build 
and  manage  an  application,  plus  300  minutes  of  usage, 
says  Mike  Zirngibl,  president  and  CEO  of  the  company 

Angel’s  line  charges  are  three  to  four  times  the  cost  of 
standard  line  charges,  Rubingh  says.  But  transactions  han¬ 
dled  by  the  automated  service  cost  about  one-quarter  the 
price  of  those  handled  by  live  WageWorks  agents,  he  says. 
“Right  out  of  the  box,  we  started  saving  the  equivalent  of 
four  full-time  employees,”  Rubingh  says. 

Speech  to  go 

One  real  estate  firm’s  foray  into  speech-enabled  applica¬ 
tions  was  driven  by  a  need  to  find  its  agents  more  easily 

For  realtors,  accessibility  is  critical, says  Mike  Crowley 
vice  president  of  Century  2 1  Automated  Real  Estate 
Center  in  Mission  Viejo,  Calif.  Crowley  for  years  had 
mulled  unified  messaging  services  that  promised  any¬ 
where,  anytime  access  to  voice,  fax  and  e-mails,  but  only 
recently  pulled  the  trigger  on  technology  that  combines 
automated  attendant,  call-processing  and  call  manage¬ 
ment  applications. 

“We  had  been  thinking  about  unified  messaging  for 
many  years.The  seed  germinated  back  in  1997  or  ’98,  but 


it  was  prohibitively  expensive  at  that  point,”  Crowley  says. 
“In  2003,  the  technology  was  refined  enough,  and  the 
price  came  down  enough,  for  us  to  implement.” 

The  two-location  Century  21  franchise  is  using  unified 
messaging  tools  from  Applied  Voice  &  Speech  Technol¬ 
ogies  (AVST).The  vendor’s  CallXpress  software  bundle  — 
which  gets  tied  to  a  user’s  existing  PBX  or  IP-PBX  switches 
—  works  with  IBM,  Microsoft  and  IMAP  e-mail  servers  to 
combine  voice,  fax  and  e-mail  messages  in  one  in-box 
and  make  them  accessible  via  telephone,  wireless  device 
or  computer. 

With  AVST’s  Seneca  speech-enabled  call  management 
module,  agents  can  use  voice-activated  commands  to 
manage  phone  calls,  e-mails  and  faxes.  Text-tospeech 
functions  convert  e-mails  and  faxes  into  computer-gener¬ 
ated  speech  that  can  be  “read”  to  the  user  over  the  phone. 

Instead  of  giving  customers  three  different  phone  num¬ 
bers  where  they  can  be  reached,  an  agent  just  has  one 
number  to  give  out,  Crowley  says.The  technology  finds 
the  agent,  whether  he  is  at  home,  on  the  road  or  in  the 
office. 

As  an  added  bonus,  the  technology  has  let  Century  21 
Automated  cut  back  on  the  physical  office  space  it  leas¬ 
es.  Agents  spend  less  time  in  the  office  because  they’re 
not  constantly  stopping  in  to  check  for  e-mails  and  faxes, 
Crowley  says.  Most  spend  90%  of  their  days  on  the  road 
now,  as  opposed  to  50%  in  the  past,  he  says. 

Pricing  for  AVST’s  unified  messaging  platform  starts  at 
about  $1,000  per  port. 

Speak,  don't  press 

Tu Vox’s  voice  recognition  software  found  a  place  in 
Activision’s  customer  service  operations  —  even  though 
the  software  game  developer  already  had  automated  60% 
of  inquiries  to  its  call  center  using  more  traditional,  menu- 
based  IVR  technology 

Using  Tu  Vox’s  hosted  services  hasn’t  significantly  in¬ 
creased  the  number  of  calls  that  are  handled  automati¬ 
cally  as  opposed  to  through  a  live  agent.  But  getting  rid  of 
tedious,  menu-based  prompts  in  favor  of  a  more  user- 
friendly  conversational  system  has  improved  customers’ 
experience,  says  Jim  Summers,  vice  president  of  quality 
assurance  and  customer  support  at  Activision  in  Santa 
Monica,  Calif. 

“The  fundamental  problem  we  were  trying  to  solve  is 
the  issue  of  ‘If  you  want  this,  press  1 .  If  you  want  this,  press 
2.  If  you  want  this,  press  3,’  "Summers  says.“That’s  just  very 
tedious,  very  difficult  and  very  limiting.” 

Spending  $1  million  or  more  on  an  in-house  deployed 
speech  recognition  system  didn’t  add  to  up  a  favorable 
ROI  scenario  for  Activision,  so  the  company  looked  to  a 
hosted  provider,  Summers  says.TuVox  keeps  the  system 
up  and  running,  which  lets  Activision  focus  on  its  core 
business. 

“We  don’t  want  to  become  experts  in  speech  recogni¬ 
tion,  we  just  want  to  serve  customers,”  Summers  says. 
Activision  supplied  TuVox  with  the  material  to  produce  a 
speech  database,  and  TuVox  did  the  heavy  lifting,  freeing 
Activision  from  a  hefty  upfront  capital  expenditure.“From 
our  standpoint,  this  is  really  peripheral  to  our  core  opera¬ 
tions.  We  didn’t  want  to  invest  more  than  we  need,” 
Summers  says.B 
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Deploying  Your  Team 
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Connecting  People 


Enable  better  teamwork, 
wherever  your  team  needs  to  work. 


1  Business  can  happen  anytime, 

I)  anywhere.  And  with  Nokia, 
you’ll  have  the  advanced 

Nokia  6820  Messaging  Device 

messaging  devices  and  secure  mobile  connectivity 
offerings  you  need  to  make  sure  your  team  arrives  fully 
connected— and  ready  to  work.  So  whether  you’re  deploying 
a  team  for  a  big  presentation,  setting  up  a  remote  office, 


or  visiting  a  customer,  Nokia  mobility  solutions  ensure  that  your 
team  can  hit  the  ground  running. 
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Nokia  One  Business  Server 


Learn  more  about  applying  a  mobility 
strategy  to  your  business.  Download  the 
‘Small  Change,  Big  Impact”  white  paper  at 

nokiaforbusiness.com 


AT&T  adding  tool  to  help  thwart  attacks 


Security  trends 


Symantec’s  Internet  Security  Threat  Report*  details  the  latest  trends 
on  who  or  what  is  trying  to  attack  your  network.  According  to  the  report: 


» With  15%  of  attacking  IP  addresses  performing 
a  Slammer  worm-related  attack,  it  is  the  most 
common  assault. 


Gaobot,  a  remote 
accessTrojan  bot, 
is  the  second  most 
common  attack. 


•  E-commerce  sites  are  the  most  targeted  of 
any  industry,  with  a  400%  increase  compared  with 
the  previous  six  months. 

•  Small  businesses  are  the  second  most  targeted. 

•  The  average  vulnerability-to-exploit  time  is  5.8  days,  leaving  users  with  less  than 
a  week  to  patch  security  holes  once  revealed. 

•  Bot  attacks  are  on  the  increase  from  2,000  monitored  bot-controlled  machines  per 
day  to  30,000  per  day. 

•Report  based  on  findings  from  the  first  six  months  of  2004. 


■  BY  DENISE  PAPPALARDO 

AT&T  last  week  announced  its  newest 
Internet  Protect  security  service,  which  is 
designed  to  help  business  customers  miti¬ 
gate  worm  and  virus  attacks  on  their  net¬ 
works. 

The  service,  which  has  not  been  named, 
integrates  worm  and  virus  mitigation 
capabilities  into  AT&T’s  network-based 
firewall  service,  says  Stan  Quintana,  vice 
president  of  managed  security  services  at 
the  carrier.  The  technology  deployed 
throughout  AT&T’s  global  IP  network  aids 
in  identifying  worms  and  viruses  while 
diminishing  or  eliminating  the  destructive 
effects  these  attacks  can  have  on  cus¬ 
tomer  networks,  he  says. 

“We  are  enabling  our  network-based 
firewall  service  to  filter  out  worms  and 
viruses  based  on  specific  rule  sets,” 
Quintana  says.“We’re  doing  real-time  miti¬ 
gation.” 

The  policies  or  rules  will  be  changed 
and  updated  based  on  information  AT&T 
gathers  from  its  global  network.  If  a  worm 
is  detected  in  Singapore,  for  example, 
AT&T  will  update  the  policy  on  all  of  its 


network  firewalls  to  filter  traffic  associated 
with  that  worm  so  it  never  hits  customer 
networks. 

AT&T  is  using  a  combination  of  technol¬ 
ogy  to  support  its  worm  and  virus  mitiga¬ 
tion  service,  including  gear  from  Arbor 
Networks  and  proprietary  technology 
from  AT&T  Labs. 

This  is  AT&T’s  second  security  service 


with  the  goal  of  thwarting  attacks.The  car¬ 
rier  introduced  in  March  its  Internet 
Protect  DoS  Defense  service  (www.nw 
fusion.com,  DocFinder:  4541).  This  was 
one  of  the  first  proactive  denial-of-service 
(DoS)  offerings  that  notifies  users  they 
might  be  under  attack  and  immediately 
takes  steps  to  fight  back. 

MCI  and  Sprint  are  offering  anti-DoS  ser¬ 
vices.  MCI  announced  it  will  offer  a  DoS 
protection  service  in  May  (DocFinder: 
4543).  Sprint  announced  its  anti-DoS  ser¬ 
vice  last  month  (DocFinder:  4542). 
Neither  carrier  is  specifically  offering  a 
proactive  worm  and  virus  mitigation  ser¬ 
vice. 

AT&T’s  worm  and  virus  mitigation  ser¬ 
vice,  which  is  slated  for  availability  early  in 
2005,  promises  to  alert  users  before  dam¬ 
aging  traffic  hits  customer  networks,  while 
also  taking  steps  to  diminish  the  effects  of 
such  attacks. 

Although  the  service  is  not  yet  available, 
AT&T  has  tested  it  with  a  handful  of  users, 
including  Pitney  Bowes  and  the  United 
States  Olympic  Committee  (USOC). 

Pitney  Bowes,  a  $4.6  billion  company 
that  offers  integrated  mail  and  document 
management  products  and  services,  start¬ 
ed  evaluating  AT&T’s  worm  and  virus  mit¬ 
igation  service  about  nine  months  ago. 

“One  of  the  first  things  we  liked  about 
the  service  is  the  early  visibility  it  gave  us 
into  the  global  Internet,”  says  Trevor  Odell, 
manager  of  security  administration  at  the 
Stamford,  Conn.,  company. 

In  addition  to  AT&T’s  service,  Pitney 
Bowes  has  four  other  security  products 
deployed  in  its  network  that  detect  poten¬ 
tial  worm  attacks  or  viruses. “Every  single 
time,  [AT&T]  has  beaten  out  our  other 


security  products  by  being  the  first  to  noti¬ 
fy  us  of  a  potential  problem,”  Odell  says. 

This  is  important  to  Pitney  Bowes,  which 
in  late  October  had  its  first  zero-day 
attack,  Odell  says.  A  zero-day  attack 
refers  to  the  time  between  a  software 
vulnerability  being  revealed  by  a  ven¬ 
dor  and  an  attack  taking  place.“It  used 
to  be  we’d  have  four  to  six  months,” 
Odell  says.“Now  we’re  lucky  if  we  have 
24  hours.” 

Ensuring  network  security  is  increas¬ 
ingly  important  because  the  company 
keeps  ports  open  for  Internet  traffic,  cus¬ 
tomer  and  third-party  access.“You  have  to 
have  an  open  network  to  do  business,” 
Odell  says.  With  a  worldwide  network  of 
more  than  30,000  nodes  spanning  all 
seven  continents,  Pitney  Bowes  has  its 
hands  full  trying  to  keep  its  network  free 
of  viruses  and  worms,  Odell  says. 

The  USOC  tested  AT&T’s  service  during 
the  Olympic  games  in  Athens  this  sum¬ 
mer.  “We  were  able  to  rest  easy”  while  in 
Athens  knowing  the  network  in  the  US. 
was  under  close  watch,  says  Becky  Autry, 
CIO  in  the  USOC’s  Colorado  Springs 
headquarters. 

The  USOC  is  a  nonprofit  group  with  lim¬ 
ited  budget  and  staff,  she  says.  “Knowing 
that  we  can  be  a  target,  we  wanted  as 
many  security  measures  in  place  as  possi¬ 
ble,”  she  says.  While  interested  in  both  of 
AT&T’s  Internet  Protect  services,  Autry 
says  she  is  not  sure  the  USOC  can  move 
from  beta  to  full-fledged  customer 
because  of  a  tight  budget. 

This  latest  Internet  Protect  service  will 
be  an  add-on  feature  for  network-based 
firewall  service  customers.  The  carrier 
charges  for  that  service  based  on  how 
much  bandwidth  the  customer  connects 
to  the  firewall.  AT&T  plans  on  charging  a 
flat  fee  for  the  worm  and  virus  mitigation 
on  top  of  the  firewall  offering.  ■ 


More  online! 


Authentication  is  crucial  to  establishing  total  quality 
network  security.  Learn  the  latest  ways  to  structure 
an  aggressive  defense  at  a  free  Network  World  event. 

DocFinder  4442 
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■  Netli  is  adding  free  network-based 
storage  to  its  Internet-acceleration 
service  so  customers  can  avoid 
adding  Web  gear  when  they  need  to 
store  Web  data  that  doesn't  get  ac¬ 
cessed  very  often.  The  company  pro¬ 
vides  1G  byte  of  storage  free  with  its 
NetLightning  service.  NetLightning 
runs  customer  traffic  through  its  data 
centers,  where  it  modifies  the  traffic 
so  it  crosses  long  stretches  of  the 
Internet  faster.  It  does  this  by  using 
the  company’s  own  Internet  protocol 
—  called  Netli  Protocol,  which  is  a 
modification  of  TCP/IP  that  reduces 
latency.  More  storage  costs  $100  per 
gigabyte  per  month.  NetLighting  costs 
$8,000  to  $15,000  per  site,  per  month. 

■  Mahi  Networks  recently  an¬ 
nounced  that  Bill  Cadogan  has  been 
appointed  chairman  and  interim  CEO. 
He  replaces  Chris  Rust,  who  returned 


to  the  venture  capital  business.  Cado¬ 
gan  is  the  former  chairman  and  CEO 
of  ADC  Telecom.  During  his  tenure, 
ADC’s  revenue  increased  from  $200 
million  to  more  than  $3.5  billion,  Mahi 
Networks  was  founded  in  September 
1999  as  a  developer  of  multiservice 
optical  switches  and  transport  sys¬ 
tems.  In  June  2004,  Mahi  acquired 
Photuris,  a  maker  of  multiservice  core 
optical  transport  systems. 

■  Competitive  local  exchange  carrier 
Cogent  Communications  Group 

recently  announced  the  acquisition  of 
assets  from  Aleron  Broadband 
Services,  formally  known  as  AGIS 
Internet,  including  its  customer  base 
and  network.  Terms  were  not  dis¬ 
closed.  Cogent  will  retain  all  25  Aleron 
employees  and  will  relocate  Aleron 
offices  from  Virginia  to  Cogent’s  Wash¬ 
ington,  D.C.,  headquarters.  Through 
the  acquisition,  Cogent  has  received 
more  than  $18  million.  Cogent  has  now 
acquired  three  of  the  original  genera¬ 
tion  of  ISPs,  including  PSINet,  NetRail 
and  Aleron  (AGIS  Internet). 


www.nwfusion.com 
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opportunities  or  mergers  and  acquisi¬ 
tions.  The  ability  to  react  quickly  trans¬ 
lates  to  top-line  revenue,  and  the  ability  to 
adjust  efficiently  equals  lower  costs. 

Making  an  enterprise  agile  is  easier  said 
than  done.  But  here’s  a  good  place  to  start: 

•  Consider  wireless.  Many  companies 
with  have  found  that  properly  deployed 
wireless  infrastructure  can  help  them  roll 
out  new  offices,  support  infrequent  gather¬ 
ings  such  as  executive  conferences,  and 
more  efficiently  interact  with  customers  or 
suppliers.  The  catch  is  that  proper  deploy¬ 
ment  means  taking  into  consideration 
security  and  manageability  both  of  which 
can  be  major  headaches  for  organizations 
that  have  gone  wireless  via  ad  hoc  rollout 
of  wireless  switches  and  routers. 

•  Maintain  multiple  telecom  relation¬ 
ships.  Many  companies  ask  me  to  help 
them  consolidate  all  telecom  services  to 
one  provider.  Bad  idea.  A  single-carrier 
strategy  is  a  total-control  strategy  —  as  in, 
the  carrier  has  total  control  over  you.  With 
multiple  providers,  you  take  the  reins.  Let’s 
say  one  carrier  is  providing  voice  services 
while  another  is  running  your  data  net¬ 
work  —  and  you  suddenly  require  a  new 
data  service  to  be  up  and  running  in 
weeks.You’re  more  likely  to  get  it  if  you  ask 
both  your  incumbent  providers  to  com¬ 
pete  against  each  other  to  deliver  your  ser¬ 
vices.  Now  a  converged  infrastructure 
might  mean  that  you  choose  to  apportion 
your  carrier  relationships  differently  —  per¬ 
haps  West  Coast/East  Coast,  rather  than 
voice/data.  But  the  more  suppliers  you 
have,  the  faster  you  can  get  one  to  address 
your  needs. 

•  Design  in  redundancy  I’m  not  talking 
about  disaster  recovery  but  about  flexibil¬ 
ity  Well-architected  user  interfaces  invari¬ 
ably  provide  more  than  one  way  to  get 
things  done  —  your  network  should  do  the 
same.  Here’s  an  example:  If  you  can  e-mail- 
enable  the  cell  phones  of  your  telecom¬ 
muting  employees,  you’ve  provided  them 
with  an  alternate  path  for  getting  e-mail. 
Not  only  are  you  protecting  against  unex¬ 
pected  outages,  but  you’ve  also  provided  an 
alternate  way  for  employees  to  communi¬ 
cate,  which  can  result  in  greater  efficiency 
Remote  salespeople,  for  example,  might 
find  it  easier  to  message  headquarters 
directly  from  the  client  site — which  results 
in  fresher  information. 

•  Make  sure  you’re  effectively  leveraging 
virtual  networking.  Whether  it’s  a  VPN 
instead  of  a  legacy  service,  or  a  box  with 
virtual  routing  capability  rather  than  a 
chassis  filled  with  router  blades,  virtual  net¬ 
working  makes  it  possible  to  react  quickly 
and  effectively  to  changes. 

Bottom  line:  Agility  isn’t  something  that 
can  be  forklifted  into  a  company  but  using 
it  as  a  guiding  principle  can  yield  measur¬ 
able  benefits. 

Johnson  is  president  and  chief  research 
officer  at  Nemertes  Research,  an  indepen¬ 
dent  technology  research  firm.  She  can  be 
reached  at  johna@nemertes.com. 


The  Broadest  Brand  In  Bandwidth 
Has  Just  Emerged 
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Born  of  two  industry  leaders  — 
Belden  and  NORDX  — 

Belden  CDT  Networking  is  now 
one  company  with  one  purpose: 
optimum  network  performance. 

To  succeed  in  business,  your  firm  relies  on  your  ability 
to  provide  the  most  sophisticated  and  efficient  network 
possible.  To  achieve  this,  you  need  a  single,  unified 
structured  cabling  system  from  the  most  credentialed 
supplier  in  the  industry.  You  need  Belden  CDT 
Networking,  offering  a  full  breadth  of  services 
to  match  its  renowned  line-up  of  products: 

•  Complete  Customer  Care:  experienced  account 
managers  and  technical  support  personnel, 
complete  documentation  and  reference  materials, 
and  the  world-class  Belden  IBDN  Training  Center. 
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•  Worldwide  Support:  the  industry's  strongest 
network  of  global  distribution  partners,  skilled 
systems  contractors  and  integrators,  and  a  host 


iHMBiffl 


of  consultants,  all  trained  in  Belden  IBDN 
System  design  concepts. 

•  Comprehensive  System  Certification  and  Warranty 
Program:  all  Belden  IBDN  Systems  and  installers 
are  fully  tested  and  certified,  and  are  backed  by 
a  25-year  Product  Warranty  and  a  Lifetime 
Application  Assurance  program. 

To  learn  more  about  how  the  Broadest  Brand  in 
Bandwidth  can  help  you  meet  your  network  demands, 
call  Belden  CDT  Networking  at  1-800-262-9334. 

www.BeldenlBDN.com  \  < 
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Enabling  the  agile  enterprise 


I  recently  listened  to  leading  executives 
from  my  company’s  IT  advisory  board 
discuss  their  top  technology  issues. 
These  CTOs,  CIOs  and  senior  IT  executives 
from  a  range  of  midsize-to-large  organiza¬ 


tions  had  many  concerns.  But  front  and 
center  for  almost  all  of  them  was  the  ques¬ 
tion  of  how  to  enable  the  agile  enterprise. 

An  agile  enterprise  reacts  quickly  and 
efficiently  to  changes,  such  as  market 


Microsoft*  Windows®  XP  Service  Pack  2  Download  and  evaluate  the  latest  updates  for 
increased  system  control  and  proactive  protection  against  security  threats. 


Free  Online  Self  Assessment  Complete  this  free,  Web-based  self  assessment  to  help 
you  evaluate  your  organization's  security  practices,  and  indentify  areas  for  improvement. 


Free  Updates  and  E-mail  Alerts  Stay  on  top  of  the  latest  security  issues  quickly  and 
easily  by  signing  up  for  free  Microsoft  Security  Communications. 


Free  Security  Tools  React  more  effectively  to  potential  security  threats.  Take  advantage  of 

free  tools  and  technologies  like  the  Microsoft  Baseline  Security  Analyzer  and  Software  Update  Services. 


Visit  the  Security  Guidance  Center  regularly  for  the  latest  security  developments.  It's  continually  updated 
so  you  can  find  the  tools  and  training  you  need  to  help  better  protect  your  company,  all  at  one  centralized 
resource.  For  proactive  protection  and  ongoing  guidance,  visit  microsoft.com/security/IT  today. 


There  is  no  one, 
single  solution 
to  security. 
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Go  to  the  Security  Guidance  Center  at  microsoft.com/security/IT 
to  see  the  newest  additions,  including: 


Microsoft 


O  2004  Microsoft  Corporation.  All  rights  reserved.  Microsoft  and  Windows  are  either  registered  trademarks  or  trademarks  of  Microsoft 
Corporation  in  the  United  States  and/or  other  countries. 


Unleashes  Your  Day 


The  new  Distributed  Wireless  Solution  from  SonicWALL-a  unique  answer  to  your  network's 
most  pressing  mobility  and  productivity  needs. 


Your  employees  want  to  work. ..everywhere.  You  know  wireless  is  the  answer,  but  what  about  those  nagging  security  concerns?  And  the  headaches 
associated  with  managing  separate  wired  and  wireless  infrastructures? 


Finally,  a  proven  network  security  firm  has  delivered  the  ultimate  wireless  LAN  platform.  Built  upon  its  award-winning  line  of  PRO  series  appliances,  the 
unique  Distributed  Wireless  Solution  from  SonicWALL®  integrates  secure  wireless  functionality  with  a  deep  packet  inspection  firewall,  IPSec  VPN,  content 
filtering,  intrusion  prevention,  gateway-enforced  anti-virus  protection  and  end  point  security.  Using  the  new  multi-radio,  centrally-managed  SonicPoint™ 
802.1 1  a/b/g  satellite  access  points,  you  can  enjoy  powerful  features  such  as  Wireless  Guest  Services  and  secure  wireless  roaming  throughout  your  facility. 
And  whether  you  add  two  or  1 00  SonicPoints,  it's  all  managed  securely  and  seamlessly  by  the  SonicWALL  security  appliance. 


Give  your  employees  the  heady  feeling  of  freedom.  With  SonicWALL's  ingenious  wireless  security  solutions,  you  can  unleash  your 
workforce  without  sacrificing  security. 

The  SonicWALL  Distributed  Wireless  Solution.  Wired  or  wireless,  it's  all  the  same.  Get  to  work. 

To  learn  more  about  SonicWALL's  Distributed  Wireless  Solution  and  set  your  workforce  free,  contact  one  of  the  resellers  below 
or  visit  www.sonicwall.com/home/reseller.asp  to  find  a  SonicWALL  reseller  near  you. 


SonicPoint 
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The  lllumen  Group 
303.743.8700 
www.illumen.com 
CENTRAL 
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A  Minority  Business  Enterprise 

En  Pointe  Technologies 
800.594.5173  X7542 
www.enpointe.com 
WEST 


,The  Network 
Support  Company 


Network  Support 
877.744.2284 

www.network-support.com 
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FOR  TYING  TELEWORKERS  TO  THE  ENTERPRISE 


Buffalo  charges  Citrix  GoToMyPC 


‘Remote  router’  offers  secure  access  to  PC  desktop  and  network  resources 


■  BY  TONI  KISTNER 

Small  office/home  office  network  hard¬ 
ware  vendor  Buffalo  Technology  has  an¬ 
nounced  a  security  router  with  a  clever 
mix  of  remote  access  and  PC  remote  con¬ 
trol  capabilities  that  could  lure  away  some 
Citrix  GoToMyPC s  150,000  users  and  help 
Buffalo  increase  its  current  7%  share  of  the 
U.S.  market. 

Standard  features  on  the  Buffalo  Wireless 
Secure  Remote  Gateway  (WRZ-RS-G54) 
include  a  four-port  switch,  SPI  firewall, 


intrusion  detection  and  an  802.1  lg  wire¬ 
less  access  point. 

Other  secure  routers  in  its  class  typically 
include  an  IPSec  VPN  client,  which  means 
you  need  a  box  on  each  end  of  the  con¬ 
nection  to  create  a  secure  tunnel.  In  con¬ 
trast,  the  Buffalo  router  includes  a  Point-to- 
Point  Tunneling  Protocol  VPN  server,  which 
means  any  remote  client  with  the  PPTP 
client  (and  permission)  can  set  up  a  VPN 
tunnel  to  a  network.  Microsoft’s  original  IP 
tunneling  protocol,  PPTP  is  supported  by 
most  client  platforms,  including  Windows, 


Access  everything 

The  router’s  Web  portal  displays  a  box  for  each  PC  and  network  device; 
icons  in  each  box  show  available  services. 
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To  access  the 
turned  off  PC 
BrianV,  remotely, 
you  click  the 
Wake-on-LAN 
button  to  boot  the 
system,  then  the 
VNC  button  to 
control  the  PC. 


To  access  files  on  the 
LinkStation  NAS  box, 
click  Shared  files. To 
transfer  files  to 
another  system,  click 
the  FTP  Server. 


When  pressed,  the 
router  searches  the 
network  for  new 
devices. 


Takes 


■  Remote  Work  Central  and  satellite 
services  provider  Loral  Skynet  have 
teamed  to  deliver  secure  telecommut¬ 
ing  and  remote-access  connectivity  to 
individual  remote  users,  small  and 
midsize  companies,  and  government 
organizations.  Loral  Skynet's 
SkyReach  satellite  broadband  ser¬ 
vice  provides  workers  anywhere  with 
2M  bit/sec  download  and  512K  bit/sec 
upload  speeds.  SkyReach  works  with 
SSL  VPN  clients  and  V-One's  applica¬ 
tion-level  VPN  client. 

■  Nearly  80%  of  DSL  subscribers 

would  cancel  their  cable  TV  subscrip¬ 
tions  if  their  telco  provided  voice,  data 


and  entertainment  services,  a  poll  of 
2,000  DSL  users  2Wire  conducted 
found.  Fifty-five  percent  of  respon¬ 
dents  also  would  choose  their  telcos 
over  cable  operators  as  a  single 
provider.  Saving  money  motivated 
73%  of  respondents.  Remote  access 
to  home  networks  and  remote  home 
monitoring  via  Webcam  were  consid¬ 
ered  important  by  26%  and  18%  of 
respondents,  respectively. 

■  Hawking  Technologies  has  an 

nounced  an  802.1 1  b/g  Wi-Fi  Locator. 
The  pocket-sized  device  uses  a  hi- 
gain  antenna  to  detect  the  presence 
of  wireless  networks,  a  built-in  utility 
provides  signal  strength  and  direction 
from  which  the  signal  originates. 
Hawking  says  plans  include  bundling 
the  locator  with  an  802.1 1g  USB 
adapter.  Wi-Fi  Locator  costs  $35. 


Macintosh,  Linux,  Pocket  PC  OS  and 
Symbian.  Most  PPTP  clients  are  free;  the 
Palm  OS  client  costs  about  $30. 

Once  you  make  the  PPTP  connection  to 
a  router,  a  portal  page  gives  you  access  to 
all  resources  on  your  home  network,  such 
as  servers  and  printers,  and  control  over 
individual  PCs,  as  you  get  with  GoToMyPC. 

To  access  the  desktop,  the  Buffalo  router 
uses  a  variant  of  the  open  source  Virtual 
Network  Computing  standard,  TightVNC. 
VNC  is  widely  used  by  the  tech  communi¬ 
ty;  its  only  flaw  is  lack  of  security.  But 
Buffalo  has  secured  VNC  by  running  it 
inside  the  40-  or  128-bit  encrypted  PPTP 
tunnel.  Buffalo  also  uses  a  Java-based  con¬ 
trol  application,  so  you  can  run  the  Web- 
based  remote  control  session  using  any 
browser,  including  Opera  and  Safari.  GoTo¬ 
MyPC,  in  contrast,  only  works  with  Internet 
Explorer  and  Netscape  Navigator,  and  Win¬ 
dows  (95  and  up)  host  machines.  However, 
the  GoToMyPC  Universal  Viewer  and 
PocketView  let  you  connect  using  an  array 
of  client. 

Two  key  features  are  support  for  Wake-on- 
LAN  and  Dynamic  DNS.  One  of  the  big 
downsides  of  remote  PC  control  products 
is  the  need  to  keep  the  host  PC  running  all 
the  time.  This  can  be  inconvenient  (if  you 
turn  off  the  machine  and  no  one  is  home 
to  turn  it  back  on), a  security  risk  and  waste 
of  electricity.  The  average  monthly  cost  for 
running  one  PC  and  monitor  24/7  is  about 
$15,  experts  say 

With  Wake-on-LAN,  a  router  user  can  keep 
his  systems  turned  off  while  away  and  sim¬ 
ply  click  the  activation  button  on  the  portal 
page  to  remotely  instruct  the  PCs  network 
card  to  boot  up  the  host  system. 

Dynamic  DNS  solves  the  problem  of 
remotely  connecting  to  PCs  with  dynamic 
IP  addresses.  A  number  of  dynamic  DNS 
services  keep  track  of  PCs’  IP  addresses 
each  time  they  change,  so  remote  users 
can  find  them  —  a  task  remote-control  ser¬ 
vices  handle  on  their  servers.  The  Buffalo 
router  includes  client  utilities  from  TZO 
and  DynDNS.  The  former  ranges  in  cost 
from  about  $30  to  $60  per  year,  depending 
on  whether  you  use  the  TZO  domain  name 
or  your  own. The  latter  is  free. 

In  addition  to  gaining  access  to  applica¬ 
tions,  data  and  network  resources  from 
anywhere,  the  Buffalo  router  lets  you  do 
new  things  like  drag  files  to  the  Web  portal 
to  print  on  a  remote  printer;  stream  audio 
and  video  files,  and  save  photos  from  any 


without  a  subscription. 


The  Buffalo  Wireless  Secure  Remote  Gateway 
includes  features  new  to  SOHO  wireless  secu¬ 
rity  routers,  such  as  a  PPTP  server,  Wake-on- 
LAN  support,  VNC  PC  remote  control  and 
dynamic  DNS  service. 


client  device  to  a  network-attached  storage 
device  such  as  the  Buffalo  LinkStation;  and 
wake  up  and  access  your  home  PC  with 
your  cell  phone  or  PDA. 

To  ease  the  router’s  network  and  wire¬ 
less  configuration,  Buffalo  uses  its  Air- 
Station  One-Touch  Security  System 
(AOSS),  which  automatically  sets  up  a 
secure  wireless  network  with  the  push  of 
a  button.  AOSS  detects  and  configures 
other  AOSS-enabled  devices  on  the  net¬ 
work  and  creates  a  secure  connection 
based  on  the  highest  level  of  security  all 
devices  support. 

Scheduled  to  ship  in  December,  the 
Buffalo  Wireless  Secure  Remote  Gateway 
lets  you  remotely  access  any  number  of 
PCs  and  devices  for  a  onetime  cost  of 
$199.  In  contrast,  a  onePC  host  subscrip¬ 
tion  to  GoToMyPC  costs  about  $20  per 
month  or  $179  per  year.  Two  PCs  cost  $30 
per  month  or  about  $270  per  year. 
Additional  PCs  are  about  $15  per  month  or 
$135  per  year.  ■ 


_ ADVERTISEMENT _ 

Your  Newest  Enemy:  Unprotected  Endpoints 

iPass  CTO  Roy  Albert  talks  about  achieving  gap-free  protection 
for  your  enterprise  network. 


A  dramatic  shift  is 
on  the  way  for 
IT  organizations, 
according  to  Roy 
Albert,  chief  tech¬ 
nology  officer  at 
iPass.  While  much 
has  been  made  of 
the  need  to  pro¬ 
tect  the  edge  of 
the  network,  Albert 
believes  IT  organ¬ 
izations  should  place  more  focus  on  the  rapid 
proliferation  of  unprotected  devices  hooking 
onto  the  network  and  the  inherent  security 
risks  of  having  mission-critical  data  on  those 
devices.  Albert  says  IT  managers  should 
immediately  address  this  issue — what  he 
sees  as  an  unacceptable  gap  in  enterprise 
security — before  corporations  possibly  suffer 
the  competitive,  financial,  and  legal  conse¬ 
quences  of  having  that  data  stolen.  Here  he 
outlines  the  threat  and  how  IT  managers  can 
protect  themselves. 

Why  do  you  see  remote  and  mobile  devices 
as  a  severe  network  threat? 

There  was  a  point  last  year  when  security 
cropped  up  in  all  our  customer  conversations. 
IT  managers  were  asking:  How  do  I  stop 
viruses  from  coming  in  and  affecting  my  entire 
network?  We  discovered  that  while  most  ven¬ 
dors  have  made  a  big  deal  about  protecting 
the  edge  of  the  enterprise  network,  there’s 
another  strategic  inflection  point  that  is  com¬ 
ing — the  devices  themselves.  IT  managers 
don’t  yet  pursue  the  security  of  those  devices 
as  if  their  jobs  depended  on  it.  Yet  those 
devices  [especially  those  carried  by  senior 
executives]  have  mission-critical  data  on  them 
which  needs  to  be  protected. 

In  terms  of  sensitive  documents  and  financials? 

People  have  e-mails  and  financial  documents 
and  confidential  customer  information  that 
lives  on  laptops  and  handhelds — and  many  of 
these  people  travel  extensively.  If  those 
devices  are  compromised  and  critical  informa¬ 
tion  is  stolen,  the  company  may  have  just 
allowed  information  to  leak  to  a  competitor,  or 
may  have  violated  customer  data  privacy. 
Mobile  devices  are  becoming  easier  to  lose  as 
they  become  smaller  and  more  portable.  IT 
groups  have  to  take  responsible  precautions 
to  protect  those  mobile  devices. 

Enterprises  as  a  whole  are  becoming  mobi¬ 
lized — resources  that  used  to  be  centralized 
are  moving  out  to  mobile  devices;  so  you  have 
to  think  about  your  security  in  terms  of  the 
extended  enterprise.  Devices  need  to  be  pro¬ 
tected  in  their  own  right.  Additionally,  users 
don’t  always  connect  to  the  enterprise  every 


time  they  log  on  to  the  Internet.  Therefore,  in 
order  to  achieve  gap-free  protection,  IT  man¬ 
agers  need  to  focus  on  the  defense  of  mobile 
and  remote  devices  anytime  they  are  connect¬ 
ed  to  the  Internet. 

What  are  the  biggest  concerns  in  supporting 
and  protecting  remote  and  mobile  devices? 

The  first  is  protecting  the  information  on  users’ 
machines,  because  that  is  part  of  the  intellec¬ 
tual  property  of  the  corporation.  The  second 
big  concern  is  ease  of  use.  IT  departments  are 
besieged  by  trouble  calls  when  the  users  are 
blocked  [from  the  network].  We  have  seen 
recent  instances  where  IT  managers  have  sac¬ 
rificed  security  for  ease  of  use  and  have  gotten 
into  trouble  later.  So  the  real  challenge  is  to 
implement  security  so  that  it  doesn’t  interfere 
with  the  end-user  experience. 


ARE  YOUR  IT  ASSETS  SECURE? 

Follow  these  steps  for  gap-free  protection. 

User  Identity — Make  sure  user  credentials  for 
internet  and  VPN  access  are  protected  as  they 
transit  local  access  providers  and  the  Internet. 

Endpoint  Integrity — Perform  assessment  and 
remediation  on  all  mobile  and  handheld  devices 
connecting  to  the  Internet  from  outside  the  firewall. 

Enterprise  Network — Put  in  place  a  mechanism 
that  lets  you  deny  untrusted  users  and  endpoints 
access  to  network  assets. 

Device  Identity — Only  let  trusted  devices  have  full 
access  to  your  enterprise. 

Session  Data — Limit  the  ability  of  users  to  commu¬ 
nicate  with  insecure  sites  without  a  VPN  in  place  to 
avoid  data  or  identity  theft. 


What  about  regulatory  issues?  What  role  do 
they  play  in  securing  the  devices  in  the  extend¬ 
ed  enterprise? 

I  think  we’re  going  to  see  more  legislation — 
already  there’s  HIPAA  in  the  U.S.,  among  oth¬ 
ers — and  we’re  going  to  see  more  inadvertent 
disclosures.  Perfect  security  is  cost-prohibitive, 
but  the  IT  department  is  obligated  to  do  a  rea¬ 
sonable  job  of  protecting  devices.  The  unfortu¬ 
nate  truth  is  that  many  IT  departments  don’t 
have  a  clear  idea  of  what  their  risk  exposure  is 
from  remote  and  mobile  devices. 

What  are  some  of  the  ways  IT  managers  can 
address  device  security? 

Deployment  of  personal  firewalls,  anti-virus 
software  and  VPNs  in  a  thoughtful  way  would 
be  a  good  strategy.  Deployment  of  assessment 
and  remediation  and  patch  management  to 


ensure  these  security  products  are  kept  up  to 
date  would  also  be  a  good  idea.  The  IT  manag¬ 
er  needs  to  understand  what  he  has  to  do  to 
protect  his  devices  and  needs  to  understand 
the  behavior  of  his  users.  He  needs  to  under¬ 
stand  how  often  his  users  are  accessing  the 
Internet  in  the  absence  of  a  VPN  and  what  kinds 
of  networks  they’re  connecting  to — such  as 
wireless  or  shared  broadband.  And  he  needs  to 
know  what  kinds  of  attacks  are  happening  and 
how  to  protect  against  those. 

It’s  important  to  note:  VPNs  protect  the  data 
moving  between  the  laptop  and  the  enter¬ 
prise — they  don’t  protect  the  laptop  itself  from 
being  compromised.  They  don’t  address  whether 
the  user  credentials  used  to  get  on  to  the  device 
were  administered  properly  and  they  also  don’t 
protect  the  enterprise  network,  which  can  be 
infected  by  viruses  transmitted  by  mobile 
devices  connecting  through  a  VPN  tunnel. 

How  can  IT  managers  install  and  maintain 
security  procedures  on  devices? 

Put  in  an  automated  patch  management  sys¬ 
tem  that  addresses  the  specific  challenges  of 
a  mobile  environment:  whether,  for  example, 
the  client  polls  for  updates  or  a  server  pushes 
them  to  users  who  are  only  occasionally 
online;  whether  the  system  has  the  ability  to 
trickle  updates  over  a  low-bandwidth  connec¬ 
tions;  or  whether  you  provide  the  ability  to 
resume  updates  after  a  connection  has  been 
lost.  A  patch  management  system  will  auto¬ 
matically  determine  what  patches  are  available, 
assess  the  devices  and  report  back  to  the  IT 
manager.  The  process  needs  to  be  automated 
because  IT  departments  can’t  spend  their  lives 
looking  for  patches  and  getting  them  to  the 
machine  on  a  timely  basis. 

Also,  to  protect  against  untrusted  devices, 
consider  some  of  the  emerging  device  authen¬ 
tication  approaches,  such  as  iPass’  DevicelD 
service.  It  lets  you  reliably  identify  the  device 
as  a  trusted  corporate  asset  and  assign  rights, 
or  block  access,  accordingly. 

GET  TRUE  GAP-FREE  PROTECTION 
BY  SECURING  YOUR  ENDPOINTS 

Download  the  iPass  Policy  Orchestration 
White  Paper  to  Learn  How 
to  Shore  Up  Your  Network. 
www.ipass.com/policyorchestration 
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■  AN  INSIDE  LOOK  AT  THE 
TECHNOLOGIES  AND  STANDARDS 
SHAPING  YOUR  NETWORK 


SMASH  simplifies  server  management 


HOW  IT  WORKS 


SMASH  CLP 

SMASH  CLP  is  a  user-friendly  command/response 
protocol  that  enables  simple  and  intuitive  manage¬ 
ment  of  heterogeneous  servers  in  a  data  center. 


Network 

administrator 
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->  show 


Transport  protocol 
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Command  output: 
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Server 


O  A  network  administrator  needs  to  see  information  about  the  target  server  and  initiates  a  SMASH  CLP  interaction 
using  a  text  message  protocol. 

©  SMASH  CLP  transmits  the  text  command  message  over  the  transport  protocol  to  the  server. 

©  SMASH  CLP  transmits  the  command  output  from  the  server  via  the  transport  protocol. 

Q  The  network  administrator  receives  the  command  output,  which  in  this  example  shows  the  valid  server  targets 
(GPU,  disk,  sensor  and  firmware)  that  are  available  to  receive  SMASH  CLP  management  commands. 


■  BY  WINSTON  BUMPUS 

IT  organizations  face  increasing  com¬ 
plexity  and  costs  associated  with  operating 
multiple  server  platforms  across  diverse 
departments,  sites  and  locations.  With 
important  initiatives  such  as  grid  and  utility 
computing  underway  at  many  organiza¬ 
tions,  server  management  continues  to  be 
central  to  controlling  costs  in  data  centers 
—  it  is  the  building  block  on  which  suc¬ 
cessful  management  is  built.  As  a  result, 
standards  that  focus  on  server  manage¬ 
ment  are  increasingly  critical. 

Until  now  there  have  been  no  cross-plat¬ 
form  standards  that  let  network  administra¬ 
tors  directly  manage  servers  from  multiple 
vendors.  This  led  hardware  manufacturers 
to  develop  varied  tool  sets  to  manage  in- 
band  and  out-of-band  traffic  for  different 
operating  systems  and  system  states. 
Todays  multi-vendor  data  centers  contain 
an  inefficient  array  of  management  com¬ 
mands  and  tools. 

To  address  this,  the  Distributed  Manage¬ 
ment  Task  Force  (DMTF)  recently 
announced  details  of  its  Systems  Manage¬ 
ment  Architecture  for  Server  Hardware 
suite,  including  the  SMASH  Command 
Line  Protocol  (CLP)  specification.  SMASH 


Got  great  ideas 


■  Network  World  is  looking  for  great 
ideas  for  future  Tech  Updates.  If  you 
want  to  contribute  a  primer  on  a  spe¬ 
cific  technology,  standard  or  protocol, 
contact  Amy  Schurr,  senior  managing 
editor,  features  (aschurr@nww.com). 


CLP  enables  simple  and  intuitive  manage¬ 
ment  of  heterogeneous  servers  in  data 
centers  independent  of  machine  state, 
operating  system  state,  server  system 
topology  or  access  method. 

Building  on  the  DMTF’s  Common 
Information  Model  schema,  SMASH  CLP 
provides  a  “lightweight”  command-line  syn¬ 
tax;  it  lets  different  vendors’  systems  be  rep¬ 
resented  in  similar  ways.  Server  vendors’ 
products,  including  stand-alone  servers, 
blades,  racks  and  partitions,  will  be  able  to 
support  SMASH  CLP  commands.  With 
these  SMASH  CLP-enabled  products,  users 
on  a  management  station  or  a  client  will  be 
able  to  execute  common  operations  — 
such  as  system  power  on  and  off,  system 
log  display  boot  order  configuration  and 
text-based  remote  console  —  using  the 
same  commands  across  disparate  vendor 
platforms. 

SMASH  CLP  is  a  command/response 
specification  (executed  by  a  user  or  in  an 
automated  fashion  by  a  script)  transmitted 
and  received  over  a  text  message-based 
transport  protocol. The  SMASH  CLP  syntax 
is  explicitly  defined,  with  selectable  for¬ 
mats.  Options  include  free-form  text, 
comma  form  text,  comma-separated,  key- 
word=value  and  XML.  In  this  simple  inter¬ 
face,  users  navigate  a  directory-like  hierar¬ 
chy  of  command  targets. 

For  example,  once  a  session  is  established 
using  authentication  prompts,  users  initiate 
the  SMASH  CLP  interaction  using  text  mes¬ 
sage  protocols  such  as  Telnet  or  Secure 
Shell  (SSH).The  SMASH  CLP  specification 
contains  mappings  for  SSH  Version  2  and 
Telnet,  but  other  transports  are  possible. 

The  text  command  message  is  transmit¬ 
ted  from  the  user  over  the  transport  proto¬ 
col  to  the  server.  SMASH  CLP  commands 


are  transmitted  and  received  between  the 
two  in  the  same  way  regardless  of  server 
platform  —  a  breakthrough  in  simplified 
server  management. 

In  addition  to  providing  the  protocol,  the 
SMASH  CLP  specification  will  include 
server  profiles  spanning  the  spectrum  of 
stand-alone  servers,  blades,  racks  and  parti¬ 
tions,  addressing  enterprise  and  telco  envi- 
ronments.The  user-friendly  views  provided 
in  the  profiles  are  defined  to  simplify  man¬ 
aging  system  boot,  power,  storage,  driver 
firmware  and  software,  system  configura¬ 
tion  and  hardware  product  assets. 

The  SMASH  CLP  interface  provides  a  uni¬ 
form  command  set  for  controlling  hard¬ 
ware  in  heterogeneous  environments,  help¬ 


ing  reduce  management  complexity. 
SMASH  CLP  also  enables  the  development 
of  common  scripts  to  increase  data  center 
automation, which  can  help  to  significantly 
reduce  management  costs. 

The  full  SMASH  suite,  which  includes 
CLP  and  additional  specifications,  is 
scheduled  to  be  released  by  the  DMTF 
next  year,  and  already  there  is  widespread 
vendor  support.  SMASH  CLP  will  address 
the  common  problems  of  server  manage¬ 
ment  and  usher  in  a  new  era  of  simplified 
management  in  the  heterogeneous  data 
center. 

Bumpus  is  the  president  of  the  DMTF  He 
can  be  reached  at  president@dmtf.org. 


Ask 


Dr.  Internet  By  Steve  Blass 

We  installed  the  pre-built  binary  version  of  the 
Jboss  Nukes  content  management  system  from 
Sourceforge  after  tiding  unsuccessfully  to  build 
pages  from  the  Java  source  code.  We  want  to  make 
changes  to  the  default  page  layout  The  instruc¬ 
tions  all  assume  you  can  rebuild  the  sources.  Is 
there  another  way  to  update  the  theme  definition 
to  change  default  settings? 

The  default-page  layout  theme  definitions  are  locat¬ 
ed  in  the  nukes-lib.jarfile  inside  the  server/default/ 


deploy/nukes.ear  folder  of  a  running  Nukes  installa¬ 
tion.  Nukes  themes  can  be  defined  by  plain  HTML 
and  Cascading  Style  Sheets  (CSS),  or  in  combina¬ 
tion  with  additional  Java  code.  Changes  can  be 
made  to  the  HTML  and  CSS  components  without  a 
Java  source  build  by  unpacking  the  jar  file,  chang¬ 
ing  the  files  and  re-creating  the  jar  file.  Copy  nukes- 
lib.jarto  a  clean  directory  and  unpack  it  with  the 
command  “jar  xvf  nukes-lib.jar.”  After  unpacking 
the  files  you'll  find  the  theme  definitions  in  the  direc¬ 


tory  org/jboss/nukes/core/themes.To  change  the 
settings  of  the  default  theme,  edit  the  files  imagic / 
theme.html  and  imagic/style/style.css.  Use  the 
command  “jar  cvf  nukes-lib.jar  *”  to  repackage  the 
jar  file  and  copy  the  new  nukes-lib.jar  over  the  origi¬ 
nal  in  the  nukes.ear  folder. 

Blass  is  a  network  architect  at  Change@Work  in 
Houston.  He  can  be  reached  at  dr.internet@ 
changeatwork.  com. 
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Virus 

Outbreaks? 
Believe  it. 


I  R  0  N  P  0  R  T 

VIRUS 
OUTBREAK 
F I LT  E  R  S  M 


Today’s  email  borne  viruses  propagate 
globally  in  hours  or  minutes,  much  faster 
than  traditional  defenses  can  react,  leaving 
you  exposed  to  the  “reaction 
time  gap”  IronPort’s  Virus 
Outbreak  Filters™  stop  viruses 
up  to  8  hours  before  traditional 
virus  definition  files  are  avail¬ 
able,  literally  predicting  virus 
attacks  before  they  cause  harm.  This 
astounding  solution  is  powered  by  a  series 
of  proprietary  algorithms  that  process 
data  from  SenderBase™  the  world’s  first  and 
largest  email  traffic  monitoring  network. 
Available  now  at  www.ironport.com/leader 
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system  management 
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all  global  enterprises. 
Powerful  tools  enabling 
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In  previous  Gearhead  columns  we  have 
discussed  our  quest  to  find  network  and 
IT  solutions  for  a  nonprofit  school. 
Products  and  systems  for  this  kind  of  envi¬ 
ronment  must  be  cheap,  easy  to  set  up, 
cheap,  easy  to  manage,  cheap  and  easy  to 
troubleshoot. 

One  of  the  biggest  areas  of  concern  for 
schools  is  Internet  filtering. We  tried  using  a 
router  from  a  well-known  vendor  that 
included  a  filtering  capability  but  it  caused 
major  problems  with  all  kinds  of  software 
on  the  network  —  notably  Microsoft  Office 
—  so  we  switched  off  the  filtering. 

Since  then  we  have  been  looking  for  a 
simple  and  manageable  filtering  product, 
and  yesterday  we  found  what  looks  like  a 
workable  solution. The  product  is  CCProxy 
fromYoungzsoft. 

CCProxy  is  small  (less  than  750K  bytes), 
installs  quickly  and  easily  and  can  run  as 
an  NT  service.  The  product’s  user  interface 
is  equally  simple.  Instead  of  a  menu  bar  it 
offers  a  tool  ribbon  with  buttons  for  start 


and  stop,  options  setup,  account  setup,  reg¬ 
istration,  exit,  hide  to  system  tray  and  help. 

The  options  setup  lets  you  configure 
which  protocols  and  services  will  be 
offered  by  the  proxy  You  can  define  cus¬ 
tom  ports  for  each  protocol,  including 
HTTP/RSTP  Secure  HTTP  (HTTPS),  FTP 
(both  regular  and  Web),  Gopher, 
SOCKS/MMS,  Telnet  and  NNTP  CCProxy 
also  can  provide  proxy  services  on  stan¬ 
dard  ports  for  SMTP  and  DNS.  It  supports 
a  Web  cache,  remote  dial-up  support,  auto 
startup  with  Windows,  auto  hide  to  the  sys¬ 
tem  tray  and  port  mapping  (the  ability  to 
redirect  requests  for  a  specific  port  on  a 
target  server  to  a  different  port  on  another 
server). 

CCProxy  can  be  configured  to  allow  or 
deny  access  in  a  variety  of  ways.  It  can 
restrict  access  only  to  sites  on  a  whitelist, 
allow  access  to  all  sites  except  those  on  a 
blacklist,  obey  a  combination  of  those  cri¬ 
teria,  block  access  to  any  specified  file  or 
content  type  (for  example,  all  .exe  files),  or 
block  access  to  content  containing  key¬ 
words  (for  example, “buy  now”). 

You  can  define  those  criteria  for  groups 
of  users  defined  by  IP  or  media  access  con¬ 
trol,  by  logon  name  and  password,  or  by  a 
combination  of  those  techniques.  To  that 
you  can  add  restrictions  on  the  time  of  day 


and  day  of  week  that  access  is  allowed, and 
define  maximum  use  throughput  rates. 

We  plan  to  disable  direct  outgoing  access 
to  the  Web  (both  HTTP  and  HTTPS)  at  the 
firewall/router  and  allow  access  only  via 
the  CCProxy  server.  We  will  set  up  an 
account  under  CCProxy  and  define  all  the 
IP  addresses  on  the  network  that  allow  out¬ 
going  access,  and  configure  the  product  to 
allow  access  only  to  specific  destinations. 

Rather  than  buying  a  service  that  lists  all 
unacceptable  sites,  the  teachers  will  define 
the  Web  sites  that  meet  their  needs  and  as 
students  ask  for  other  sites  to  be  added  the 
staff  will  consider  whether  to  do  so. 

There  really  is  a  lot  to  like  in  CCProxy 
—  it  has  a  Web  management  interface, 
excellent  reporting  and  logging  features, 
and  even  can  be  translated  into  another 
language. 

CCProxy  is  highly  suitable  for  simple  fil¬ 
tering,  as  it  can  use  an  externally  defined 
whitelist  or  blacklist  provided  as  a  simple 
text  file  with  a  site  specification  such  as 
“*.nwfusion.com”on  each  line. 

The  only  problem  is  that  to  make  any 
changes  in  the  external  list  active  the 
CCProxy  server  needs  to  be  restarted.  We 
have  written  to  the  developers  asking  for  a 
scheduled  restart  (say  every  hour)  or  a 
restart  based  on  whether  the  control  file’s 
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time  stamp  has  been  modified,  but  we 
have  yet  to  hear  back  from  them. 

In  the  interim  we  have  a  few  choices. 
The  simplest  and  least  expensive  is  to  set 
up  a  job  schedule  to  run  a  utility  such  as 
psService  in  Sysinternals’  tool  kit  (which 
is  free  —  see  www.nwfusion.com, 
DocFinder:  4544).  This  is  a  tool  for  list¬ 
ing,  starting,  stopping  and  suspending 
system  services. 

PsService  can  be  run  in  a  batch  file, 
and  the  command  “psservice  restart 
ccproxy”  will  do  exactly  what  you  might 
expect  —  restart  the  service  and  reload 
the  blacklist  or  whitelist  file  contents.  We 
plan  to  have  the  command  executed 
every  day  at  4  a.m. 

We  also  plan  to  provide  a  simple  editing 
interface,  perhaps  using  Interactive  Tools 
Page  Publisher  to  let  the  staff  add  to  and 
modify  the  blacklist/whitelist  file  (see 
“Outstanding  user-driven  publishing,”  Doc- 
Finder:  4546). 

Next  week  we’ll  fire  up  this  system  and 
see  if  it  works.  So  far,  we  are  impressed  by 
CCProxy’s  stability  and  its  amazingly  rea¬ 
sonable  $70  price  tag.  Moreover,  there 
appears  to  be  nothing  else  quite  like  it. 

Send  your  proxy  solution  to  gearhead 
@gibbs.com. 


Goof 


Quick  takes 
on  high-tech  toys 

By  Keith  Shaw 


Lexar  Media  offers  new  music  players 

Is  it  a  storage  device  or  an  MP3  player?  Lexar  Media  says 
its  new  LDP-400,  a  compact  digital  music  player  that  also 
acts  as  a  USB  flash  drive,  is  both. 

The  company  last  week  announced  this  and  another 
music  player,  the  LDP-600,  which  also  includes  a  built-in  FM 
radio  transmitter.  Both  music  players  support  MP3  files  and 


The  Lexar  LDP-400  runs  on  a  AAA  battery  and  features  a  slide- 
out  USB  port  connector. 

WMA  music  files,  and  the  Microsoft  Digital  Rights  Manage¬ 
ment  technology 

The  LDP-600’s  FM  transmitter  will  let  users  play  music 
over  any  unused  FM  frequency  without  adding  an  adapter. 


The  device  also  lets  users  record  FM  broadcasts  or  act  as  a 
digital  voice  recorder  for  dictation.  It  will  come  in  storage 
capacities  of  256M  ($130)  or  512M  bytes  ($170),  and  with 
a  Secure  Digital  memory  card  slot  for  lG-byte  cards.  The 
LDP-600  runs  on  a  rechargeable  lithium  polymer 
battery  and  provides  up  to  14  hours  on  a  sin 
gle  charge. 

The  LDP-400  features  a  slide-out  USB 
connector  port  and  runs  on  one  AAA  bat¬ 
tery  providing  up  to  12  hours  of  battery 
life. It  will  come  with  128M  ($70)  or256M 
bytes  ($90)  of  storage. 

Verizon,  LG  launch  camera  phone 

Verizon  and  LG  Mobile  Phones  last 
week  launched  the  LG  VX6100  camera 
phone,  an  update  to  the  VX6000  handset. 

The  new  version  includes  an  embedded 
camera  with  a  flash; 4x  zoom;  and  image 
adjustment  features  such  as  white  bal¬ 
ance,  color  effects  and  changing  photo 
resolution. 

Other  features  include  speaker¬ 
phone,  voice  command 
and  support  for  Verizon’s 
Mobile  Web  2.0  service, 
which  lets  users  access 
news  and  information 
from  more  than  30 
content  providers.  The  phone 
measures  3.56  by  1.9  by  0.94 
inches  and  weighs  3.88  ounces; 
and  has  an  external  grayscale 
LCD  and  an  internal  color  LCD. 

It  offers  up  to  three  hours  of 
talk  time  and  up  to  150  hours  of 
standby  time.The  phone  will  oper¬ 


ate  on  Verizon’s  CDMA  lx  network. 

The  VX6100  is  available  now  for  about  $100  (after  a  $50 
rebate  and  a  two-year  service  agreement).  For  details,  go  to 
the  Verizon  Wireless  Web  site. 

A  mouse  for  your  PDA? 

It  sounds  crazy  that  you  would  want  to  use  a 
mouse  on  your  PDA  or  smartphone,  but  at  least 
one  company  is  pushing  the  idea.Think  Outside 
last  week  announced  availability  of  its  Stow¬ 
away  Travel  Mouse,  a  portable  Bluetooth  mouse 
that  works  with  smartphones,  PDAs  and  note¬ 
books.  The  mouse  supports  applications  such 
as  Pocket  Word,  Excel  and  messaging;  and 
includes  right-click  and  scroll-wheel  function¬ 
ality.  Think  Outside  says  that  with  a 
mouse,  mobile  device  users  can  more 
easily  navigate  through  applications  and 
menus. 

The  unit,  priced  at  about  $80,  will  be 
available  later  this  month  at  retailers  in 
the  U.S.and  Europe,  and  through  the  Think 
Outside  Web  site.  Smartphone  support 
includes  the  XDA II  series  from  02,T-Mobile, 
Vodaphone,  Q-Tek,  Orange  and  other  wireless 
service  providers.  Pocket  PC  support  includes 
the  Dell  Axim  X30  and  X50;  the  HP  iPaq  1940, 
1 945, 22 1 0, 22 1 5, 4 1 50, 4 1 55, 4350, 4355, 5550  and 
5555;  and  the  Asus  MyPal  A620BT.The  mouse  will 
work  with  Macintosh  Powerbooks;  any  Windows 
XP  SP1  system  that  includes  integrated  Bluetooth; 
and  any  Bluetooth  adapter  from  3Com,  Anycom, 
Belkin,  D-Link  Systems,  Linksys,  Orange  Micro,  Sony 
Targus.TDK  orTrendware. 


The  LG  VX6100  cam¬ 
era  phone  features 
4x  zoom. 


Shaw  can  be 
kshaw@nww.  com. 


reached  at 


Trojans,  worms ,  viruses,  and  application  attacks  don't  scare  the 
all-in-one  Sidewinder  G2  Security  Appliance.  It  scares  them! 

It  detects  and  stops  them.  It  protects  thousands  of  networks  all 
over  the  world  and  it  can  protect  yours.  It  includes  the  world's 
strongest  application-layer  firewall  that  has  never  been  compro¬ 
mised.  You  can  even  add  optional  anti-virus,  anti-spam,  e-mail 
and  Web  content  filtering,  SSL  VPN,  and  more. 

For  a  free  evaluation,  call  1  800  379-4944. 

New  security  whitepaper  available:  Looking  for  in-depth  knowledge  to  help 
protect  your  organization's  Internet-connected  applications  and  services  from 
hacker  attacks  and  malicious  code?  To  learn  more  about  effective  protection 
mechanisms,  deep  packet  inspection,  intrusion  prevention  and  more,  down¬ 
load  our  new  security  whitepaper.  Written  for  busy  IT  professionals,  it  offers 
three  simple  ways  to  evaluate  emerging  application  gateway  technologies. 
Download  your  copy  now  at  www.securecomputing.com/goto/ad. 
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SECURITY  APPLIANCE 


Firewall/Security  Appliance 
Sidewinder  G2"'  Security  Appliance 
Sidewinder  G2'v  Enterprise  Manager 

Strong  Authentication 
SafeWord®  RemoteAccess™ 

SafeWord®  RemoteAccess,™  Cisco  compatible 
SafeWord®  PremierAccess'“ 

SafeWord  for  Check  Point 
SafeWord®  for  Citrix®  Meta  Fra  me" 

SafeWord  for  Nortel  Networks 

Web  Filtering 

SmartFilter/  Sentian,™  Bess® 


COMMON  CRITERIA 

EA14+  CERTIFIED 


Securing  the  connections  between  people,  applications,  and  networks  w 
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OH  TECHNOLOGY 

John  Dix 

VON  faithful 
see  VoIP 
growing  up 


K3PB  he  crowd  that  flocked  to  the  recent  Voice  on  the 
Network  conference  in  Boston  found  some  frank 
discussion  about  IP  PBX  costs  and  interesting  new 
management  tools. 

In  an  analyst  panel  on  enterprise  VoIP  Gartner  analyst 
David  Fraley  asked  how  many  vendors  in  the  room  claim 
their  products  save  money  A  bunch  raised  their  hands. 
Then  he  asked  how  many  tell  customers  it  costs  more? 
Only  one  hand  went  up.  His  conclusion:“There  are  lots  of 
liars  in  the  room.” 

There  are  some  savings,  Fraley  said,  but  if  your  net¬ 
work  is  4  to  5  years  old  you’ll  have  to  make  a  100%  fork¬ 
lift  upgrade  to  accommodate  VoIP  Even  if  your  gear  is 
new, you’ll  still  need  to  do  lots  of  tuning,  Fraley  said. 
“There  is  a  lot  of  heavy  lifting  in  here.  But  I’m  still  a  big 
believer.” 

Ronald  Gruia,  a  senior  strategic  analyst  with  Frost  & 
Sullivan,  estimates  that  for  every  dollar  of  voice  equip¬ 
ment  you  put  in  you’ll  need  to  invest  about  $3  worth  of 
data  equipment.  He  also  notes  that  endpoints  still  repre¬ 
sent  about  50%  of  VoIP  investments. 

IDC  senior  analyst  Steve  Elliot  said  the  fact  that  you  typi¬ 
cally  need  to  upgrade  the  data  network  makes  it  hard  to 
do  a  fair  ROI  analysis  of  IP  PBXs.  He  also  notes  that  man¬ 
agement  tools  are  still  somewhat  lacking. 

There  was  one  vendor  at  the  show,  however,  talking 
about  an  interesting-sounding  management  tool  for  Cisco 
voice  environments. 

Clarus  Systems  has  developed  software  that  can  be 
used  to  take  control  and  test  remote  VoIP  phones.  While 
many  other  VoIP  test  products  are  snooping  at  the  packet 
level  looking  at  things  like  jitter,  this  tool  actually  reaches 
inside  Cisco  phones  to  see  if  they  work  properly 

The  beauty  of  Cisco’s  CallManager  is  it  is  infinitely  flexi¬ 
ble,  says  Michael  Smith,  vice  president  of  product  market¬ 
ing  and  management  at  Clarus.“But  that  flexibility  means 
it’s  easy  to  hose  yourself.” 

The  ClarusIPC  Assurance  software  runs  on  a  server  and 
works  with  CallManager  to  locate  phones  and  then  reach 
inside  to  test  everything  from  configuration  to  feature  set, 
calling  privileges,  button  allocation  and  the  ability  to 
place  calls  and  reach  voice  mail. 

Smith  says  customers  will  be  able  to  use  the  product  — 
which  is  still  in  beta  —  to  check  systems  as  they  are 
rolled  out  and  to  help  troubleshoot  environments  as 
equipment  is  upgraded  and  moved  around. 

With  the  emergence  of  these  types  of  tools  and  trank 
discussions  about  cost,  one  thing  was  clear  at  VON:  VoIP  is 
rapidly  maturing. 


—  John  Dix 
Editor  in  chief 
jdix@nww.com 
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Follow-up  is  needed 

Regarding  the  story  “Cisco  deals  kick  VoIP  market 
into  high  gear”  (www.nwfusion.com,  DocFinder: 
4527):  A  few  years  ago  Cisco  made  several  similar 
big  VoIP  rollout  announcements,  Dow  Chemical 
being  one  of  the  largest  that  comes  to  mind. 
Electronic  Data  Systems  was  the  integrator  for  that 
project,  which  now  is  years  behind  schedule  and  sig¬ 
nificantly  over  budget.Yet  no  one  ever  follows  up  to 
see  if  these  big  deployments  ever  worked.  I  hope 
Network  World  will  provide  some  follow-up  on  these 
deals  in  six,  nine  or  12  months  to  let  people  know  if 
the  projects  ever  actually  happened  and  if  they  are 
successful.  It’s  easy  to  send  out  a  press  release  when 
a  bid  is  won;  now  show  us  the  beef  when  it  comes 
to  the  actual  deployment  of  the  project. 

Debbie  Joy 
Phoenix 

Against  their  nature 

Regarding  Mark  Gibbs’  BackSpin  column, ‘A  letter  to 
Messrs. Gates  and  Ballmer”  (DocFinder: 4528):  Gibbs’ 
appeal  to  the  better  nature  of  Bill  Gates  and  Steve 
Ballmer  is  comedic  given  the  history  of  Microsoft. 
What  is  tragic  is  that  Gibbs  believes  these  men  have 
a  better  nature  to  which  one  could  appeal.  I  would 
expect  no  less  from  them  than  a  vehement  denial 
that  either  Microsoft  or  they  personally  have  ever 
been  guilty  of  intentional  misrepresentation  of  any¬ 
thing  at  any  time  except  for  those  misrepresenta¬ 
tions  (if  any)  for  which  they  have  been  convicted  by 
a  court  of  law  and  for  which  all  possible  avenues  of 
appeal  have  been  eliminated.  Anything  less  would 
be  grossly  out  of  character. 

Tony  Noll 
Portland,  Ore. 

E-mail  letters  to  jdix@nww.com  or  send  them  to  John  Dix,  editor  in 
chief,  Network  World,  1 1 8  Turnpike  Road,  Southborough,  MA  01772. 
Please  include  phone  number  and  address  for  verification. 


No  comparison 

In  the  story  “Linux  lowdown”  (DocFinder:  4529),  IT 
consultant  Doug  Freyburger  compares  doctors’, 
lawyers’  and  certified  public  accountants’  certifica¬ 
tions  to  Linux  certifications.This  comparison  is  with¬ 
out  merit.  The  prescribed  academic  program  in 
these  three  professions  emphasizes  a  solid  founda¬ 
tion  of  theory  backed  by  extensive  practical  knowl¬ 
edge  and  includes  an  extended  period  of  profes¬ 
sional  apprenticeship.  I  don’t  see  how  industry  certi¬ 
fications,  which  only  test  examinees  on  the  configu¬ 
ration  of  operating  systems  and  utilities  in  multiple- 
choice  format  for  the  written  portion,  can  compare 
with  the  extremely  broad  and  deep  knowledgebase 
provided  by  studies  in  the  medical,  legal  and 
accounting  professions. 

A  comparison  should  be  with  university  degrees  in 
computer  science  and/or  engineering,  which  offer 
enough  of  the  theoretical  foundations  of  the  subject 
to  justify  comparison. 

S.  Krishnan 
Mississauga,  Ont. 

Superiority  complex 

it, 

I  have  to  take  up  letter  writer  Christopher  Rose’s 
challenge  to  “show  me  the  other  vendors  or 
options  that  are  so  superior  to  [Windows  NT  File 
System]  ”  (DocFinder:  4530).  For  networking,  Novell 
Storage  Services  is  vastly  superior  to  NTFS.  NSS  is  a 
realistic  security  system  that’s  light  years  easier  to 
operate,  has  real  deleted  file  recovery,  workable 
journaling,  snapshot  features  that  don’t  require 
double  disk  space  and  more.  Yes,  NTFS  has  been 
around  longer.  In  1993  PC  systems  didn’t  have  the 
pure  horsepower  to  support  journaling  effectively; 
now  they  do.  And  NSS  will  be  multi-platform  in 
February. 

Randy  Grein 
Everett,  Wash. 


More  online!  www.nwfusion.com  Find  out  what  readers  are  saying  about  these  and  other  topics.  DocFinder  4526 
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viruses,  hackers, 
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ix>  theft, 
scams,  denial  or1 
service  attacks  w 
and  random 
security  flaws 
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LIPPIS  ON  IP  COMMUNICATIONS 

Nick  Lippis 

There’s  no  doubt  that  Microsoft  could 
enter  the  IP  telephony  market.  But  why 
would  the  software  giant  want  to  enter 
an  area  so  foreign  to  its  core  business?  Well, 
the  answer  is  IP  telephony  is  moving  toward  a 
Microsoft  business  model.  In  short,  IP  telepho¬ 
ny  will  be  a  software-  and  services-based  in¬ 
dustry,  exactly  what  Microsoft  serves.  If  Cisco  wins  when  communica¬ 
tion  sectors  change  to  IR  Microsoft  wins  when  large  markets  move 
toward  software  and  services. 

For  starters,  Microsoft  could  release  a  softphone  that  is  tightly  linked 
to  Outlook,  Live  Meeting,  NetMeeting  and  its  other  office  productivity 
software  packages.  Microsoft  could  change  course  and  close  the 
Outlook  API  it  has  offered  to  Cisco,  Avaya,  Nortel  and  others,  leaving 
these  firms  with  a  second-rate  softphone  that  does  not  connect  to  a 
Microsoft  world. You  might  ask,  is  a  softphone  that  important?  You  bet. 
Many  large  corporations  are  moving  away  from  fixed  analog,  digital 
and  even  IP  phones  to  smart  phones  and  softphones  over  the  next  few 
years.  British  Petroleum  plans  to  change  out  its  150,000  fixed  phones  to 
nearly  all  softphones  and  smart  phones  by  2008. 

Microsoft  offering  a  built-in  softphone  would  be  a  huge  blow  to  IP 
telephony  firms,  whose  revenue  comes  largely  from  fixed  IP  phones 
and,  increasingly  software  licenses.  Microsoft  has  embraced  Session 
Initiation  Protocol  on  the  endpoint  by  bundling  a  SIP  client  into  XP 
Most  IP  telephony  firms  give  SIP  lip  service  by  promising  SIP  but  load¬ 
ing  up  the  stack  with  proprietary  extensions  that  deliver  more  feature- 
rich  services,  locking  customers  into  their  IP  telephony  architecture. 


Will  Microsoft  enter  IP  telephony? 


If  Microsoft  were  to  offer  a  SIP-based  softphone,  it  would  be  a  cata¬ 
clysmic  change  agent  forcing  a  new  organizing  principle  on  the  IP 
telephony  industry  All  the  IP  telephony  providers  would  have  to 
change  their  business  models,  invariably  with  some  not  being  able  to 
do  so  successfully 

Those  softphones  need  a  connection  manager  or  SIP  proxy  to  pro¬ 
vide  connection/call  services.  It’s  not  a  leap  of  faith  to  see  Microsoft 
adding  connection  manager  functionality  into  its  live  communica¬ 
tions  server.  Alternatively,  the  increasing  shift  toward  hosted  IP  tele¬ 
phony  services,  which  moves  the  connection  manager  function  into 
a  service  provider,  could  reduce  the  urgency  for  Microsoft  to  build  or 
acquire  its  own.  Instead,  Microsoft  could  simply  focus  on  its  soft¬ 
phone  and  connect  to  every  other  connection  manager  on  the  mar¬ 
ket.  This  would  let  Microsoft  own  both  the  softphone  and,  more 
importantly,  the  suite  of  IP  communication  applications. 

It’s  inevitable  that  Microsoft  will  enter  the  IP  telephony  market  at 
some  level.  Next  year  should  be  a  good  time  for  the  company  to 
make  its  move  —  projections  show  2005  will  be  the  year  IP  tele¬ 
phony  deployments  start  to  enter  the  “hockey  stick”  inflection  point. 
In  any  event,  Microsoft  jumping  into  IP  telephony  surely  will  change 
the  market. 


Microsoft  jump¬ 
ing  into  IP  tele¬ 
phony  surely  will 
change  the 
market. 


Lippis  is  an  authority  on  corporate  IP  communications  and  consul¬ 
tant  to  CXOs  of  Global  2000  companies.  His  Enterprise  IP  Commun¬ 
ications  Symposium  will  be  held  Nov.  1 0-1 1  in  Atlanta.  For  more  infor¬ 
mation,  go  to  www.nwfusion.com,  DocFinder:  4532.  Lippis  can  be 
reached  at  nick@lippis.com. 


CACHE  ADVANCE 

Linda  Musthaler 

Now  that  the  2004  elections  are  history 
one  would  think  the  mudslinging, 
name-calling  and  negative  ads  would 
stop.  Instead,  it  seems  that  businesses  have 
been  inspired  by  politicians  to  use  these 
same  tactics  to  scare  and  intimidate  cus- 
tomers.There’s  a  fair  amount  of  mud  and  FUD 
being  slung  around  the  IT  industry 
The  latest  flap  is  between  HP  and  Sun.  It  seems  that  Sun  COO  and 
President  Jonathan  Schwartz  publishes  a  blog  in  which  he  has 
expressed  some  rather  negative  opinions  about  HP’s  version  of  Unix. 
What’s  more,  Larry  Singer,  Sun  senior  vice  president  and  strategic 
insight  officer,  has  published  so-called  “reality  check”  stories  in  which 
he  publicly  questions  the  outlook  for  HP’s  Unix  customers.  HP  has 
objected  to  what  it  calls  Sun’s  “misleading  and  factually  incorrect  state¬ 
ments.”  In  a  late  September  letter  to  Sun,  HP  insisted  that  Sun  publish  a 
retraction  of  the  statements,  along  with  a  public  apology.  Sun  respond¬ 
ed  that  the  assertions  are  personal  opinion  and  are  thus  perfectly  legal. 

But  the  mud  flies  both  ways.  Sun  says  HP  belittles  the  purveyor  of 
Solaris  in  customer  briefings  by  showing  a  slide  of  Sun’s  stock  price 
and  calling  the  company  “irrelevant”  in  today’s  marketplace.  When  Sun 
executives  say  that  this  tactic  oversteps  the  bounds  of  normal  business 
practices,  HP  executives  respond  that  Sun’s  stock  price  is  a  matter  of 
public  record  and  there’s  no  harm  in  pointing  out  the  stock’s  nosedive 
to  customers. 

Man,  I’m  starting  to  get  flashbacks  to  the  recent  presidential  cam¬ 
paign  and  the  drudging  up  of  30-year-old  military  records. 

Of  course,  Bush,  Kerry,  HP  and  Sun  haven’t  cornered  the  market  on 
injurious  insults  about  their  competitors.  In  attempting  to  stave  off 
Oracle’s  bid  for  PeopleSoft,  former  PeopleSoft  CEO  Craig  Conway 
portrayed  Larry  Ellison  and  company  as  the  Evil  Empire.  It’s  no  won¬ 
der  why, since  an  Oracle  executive  was  found  to  be  gloating  over  the 
FUD  it  created,  having  written  in  an  e-mail, “We’ve  certainly  wounded 


IT  gets  down  and  dirty 


PSFT. . .  Even  if  we  don’t  end  up  closing  the  deal,  this  is  going  to  take 
PSFT  time  to  recover.” 

Don’t  even  get  me  started  about  the  whole  “SCO  claims  it  owns  Unix” 
debacle. That  show  has  gone  way  beyond  insults  and  innuendoes  and 
has  degraded  into  death  threats  against  SCO  CEO  Dari  McBride. 

I’m  all  for  healthy  competition,  but  can’t  companies  take  the  high 
road  as  they  go  about  their  business?  Why  can’t  they  emphasize  the 
merits  of  their  offerings  without  belittling  what  the  other  guys  offer?  Has 
our  country’s  standard  measure  of  behavior  been  lowered  so  much 
that  it’s  now  acceptable  to  try  to  make  yourself  look  good  by  making 
the  competitor  look  bad?  Certainly  the  recent  political  ads  would  have 
us  believe  this  theory 

As  a  buyer  of  IT  products  and  services,  do  you  feel  good  about  your 
vendors  when  they  bad-mouth  and  denigrate  other  vendors?  Do  you 
want  an  executive  from  your  hardware  or  software  company  pointing 
out  competitors’  frailties? 

Years  ago,  when  I  was  in  software  sales,  I  worked  with  a  sales  agent 
who  routinely  put  down  our  firm’s  main  competitor. This  agent  thought 
the  way  to  make  our  company’s  products  shine  was  to  show  how  the 
other  company’s  products  reeked.  Then  that  competitor  bought  our 
companyAnd  the  sales  agent  had  to  sell  the  very  products  that  he  had 
been  bad-mouthing  for  so  long.  Do  you  think  his  customers  found  him 
believable  when  he  had  to  backtrack  on  his  old  words?  (Take  note  of 
this,  PeopleSoft.  The  Evil  Empire  soon  could  be  your  new  owner  and 
you’ll  have  to  kiss  and  make  up.) 

I’m  sure  I’m  being  naive  about  how  to  conduct  oneself  in  an  ethical 
manner,  especially  when  millions  or  even  billions  of  dollars  are  on  the 
line.  I  mean,  if  the  ruler  of  the  free  world  is  elected  because  he  is  “the 
lesser  of  two  evils”  in  many  voters’  eyes,  I  guess  it’s  OK  to  pick  your  IT 
vendors  that  way,  too. 

Musthaler  is  vice  president  of  Currid  <£  Company,  a  technology  assess¬ 
ment  firm  in  Houston.  She  can  be  reached  at  linda@currid.com. 
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What’s  m  the  training  agenda  for  2005P 


S  BY  LiNDA  LEUNG 

Information  security  VoIP  Java  and  Linux 
are  key  growth  areas  for  training  in  2005, 


says  training  provider  The  Training  Camp. 

The  company  —  which  is  projecting  2004 
revenue  growth  from  its  security  Java  and 
Linux  training  courses  to  be  54%,  32%  and 


27%,  respectively  —  estimate  that  the 
demand  for  Linux  and  Java  certification 
training  will  continue  to  grow  next  year.The 
Training  Camp  anticipates  that  security  will 


Is  your  network  vulnerable 

to  intrusion? 


Ever  have  that  feeling  somebody’s  checking  out  your 
network,  looking  for  vulnerabilities  that  could  bring  down 
your  whole  company?  That’s  what  we  do.  Except  we’re 
on  your  side.  Our  Web-based,  hosted  scanning  solution 
allows  you  to  detect  your  network's  vulnerabilities,  so 
you  can  prevent  intrusions  and  gain  peace  of  mind. 
Make  sure  your  assets  are  covered. 

©  2004  IPxray  LLC. 


Let  IPxray  sniff  out  your  vulnerabilities. 
Start  your  FREE  2-week  trial  now. 

Visit  www.ipxray.com 

iPxRAy* 

Actionable  Intelligence  to  Secure  Your  Network 


make  up  one-third  of  its  revenue  this  year, 
from  zero  two  years  ago,  says  Chris  Porter, 
president  at  The  Training  Camp. 

This  should  be  of  interest  to  you  because 
the  programs  that  training  companies  offer 
are  a  good  reflection  of  the  technologies 
customers  are  demanding,  and  the 
attendee  profile  is  a  good  indicator  of 
where  a  certain  technology  is  in  its  cycle. 

For  example,  the  cost-savings  promise  of 
VoIP  has  caused  a  demand  in  training  in 
this  technology  The  Training  Camp  rolled 
out  its  practitioner-level  VoIP  training  pro¬ 
gram  six  months  ago  and  now  runs  a  pub¬ 
lic  class  every  month,  from  one  class  every 
two  months  when  the  program  was  first 
introduced.  It  also  will  provide  between  20 
and  30  private  classes  over  the  next  quarter. 

Most  of  the  students  are  from  consulting 
firms,  which  indicate  that  end-user  organi¬ 
zations  are  at  an  evaluation  stage  and  are 
demanding  VoIP  consultancy  from  their 
business  partners.  Porter  expects  to  see 
more  students  from  end-user  organizations 
next  year,  as  they  begin  to  adopt  VoIP  He  is 
seeing  interest  in  VoIP  training  from  the  mil¬ 
itary  government  agencies,  and  telco  carri¬ 
ers  and  equipment  manufacturers. 

The  Training  Camp’s  information  security 
course  is  targeted  at  senior  managers 
charged  with  building  a  security  strategy 
The  demand  for  such  training  reflects  that 
security  and  the  companies’  desire  to 
develop  an  enterprise-wide  strategy  that 
brings  all  their  security  efforts  together  are 
high  on  priority  lists.  The  Training  Camp’s 
program  covers  penetration  testing,  ethical 
hacking  and  forensics,  and  students  are 
prepped  for  the  Certified  Information 
Systems  Security  Professional  exam. 

Linux  is  another  growth  area  for  The 
Training  Camp,  which  offers  exams  for  the 
systems  administration  certification  of  the 
Linux  Professional  Institute.  Porter  be¬ 
lieves  there  are  several  issues  driving  the 
demand  for  Linux  training,  including 
companies  seeking  to  lower  total  cost  of 
ownership  and  lessen  their  reliance  on 
Microsoft  technology  Porter  says  The  Train¬ 
ing  Camp  has  seen  interest  in  Linux  train¬ 
ing  from  the  auto  industry;  perhaps  com¬ 
petition  in  that  industry  is  leading  auto 
manufacturers  to  seek  lower-cost  comput¬ 
ing  environments. 

It  was  surprising  that  The  Training  Camp 
singled  out  Java  as  a  training  growth  area. 
“With  the  proliferation  of  mobile  devices 
and  set-top  boxes,  Java  development  is  a 
core  competency  that  Web  application 
firms  are  looking  for  to  build  hardware- 
independent  applications,”  he  says.B 
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Forbes.com _ 

Tests  New  Data  Center 

Spirent  helps  leading  business  site 
ensure  performance 


Michael  Smith  ,  Vice  President  and  COO,  Forbes.com 


“By  helping  us  prevent  downtime,  Avalanche  saves  us  time  and  money. 


If  you  want  up-to-date  business  news,  chances 
are  you’ve  visited  Forbes.com.  The  popular  Web  site 
is  known  not  only  for  its  original,  in-depth  report¬ 
ing  but  also  for  its  comprehensive  lists.  These  lists 
range  from  the  Forbes  2000,  a  ranking  of  the  world’s 
biggest  companies,  to  surveys  of  the  best  business 
schools. 

To  ensure  their  site  meets  visitors’  expectations 
for  performance  and  availability,  Forbes.com  tests 
its  Web  infrastructure  regularly  with  the  Avalanche 
load-testing  appliance  from  Spirent  Communica¬ 
tions.  Testing  with  Avalanche  not  only  helped  the 
company  prepare  for  their  move  to  a  new  data 
center,  but  also  assures  Forbes.com  that  their  Web 
site  is  prepared  to  handle  the  spikes  in  traffic  that 
come  with  the  release  of  its  popular  lists. 

Moving  to  a  New  Data  Center 

Forbes.com  is  one  of  the  most  trusted  informa¬ 
tion  resources  for  international  business  leaders 
and  senior  executives.  The  site  provides  real-time 
business  news,  stock  and  mutual  fund  quotes,  com¬ 
prehensive  company  profiles  and  a  wide  array  of 
interactive  tools,  including  the  famous  Forbes  lists. 

In  late  2003,  the  company  realized  that 
Forbes.com  had  outgrown  its  data  center.  In 
December,  Forbes.com  prepared  to  move  to  a  new 
center  that  could  better  accommodate  its  growth. 


“There  was  absolutely  no 
question  that  we  were  going 
to  stick  with  the  Avalanche !” 


c 

1  “We’d  been  in  our  existing  site  for  four  years  and 
|  had  outgrown  it,”  says  Michael  Smith,  vice  president 
"  and  COO  of  Forbes.com.  “We  were  upgrading  our 
hardware  to  new  Foundry  Networks  core  routers 
and  switches  and  our  software  to  Linux,  so  we  had  a 
chance  to  start  fresh  and  make  sure  the  site  became 
Q  faster  and  more  scalable.  We  want  to  ensure  that 


the  user  experience  is  as  responsive  when  we’re 
experiencing  high  traffic  on  an  atypical  list  release 
day  as  it  is  on  a  regular  business  day.” 

To  ensure  the  cutover  would  be  successful, 
Forbes.com  decided  to  test  the  stability  and  availabil¬ 
ity  of  its  new  Web  infrastructure  with  the  Avalanche 
2500  load-testing  appliance  from  Spirent  -  a  prod¬ 
uct  the  company  had  used  to  test  its  Web  site  since 
2001.  “There  was  absolutely  no  question  that  we 
were  going  to  stick  with  the  Avalanche,”  Smith  says. 

As  one  of  the  top  business  sites  on  the  Web, 
Forbes.com  gets  a  high  volume  of  traffic  on  a  daily 
basis.  However,  that  traffic  level  spikes  on  the  days 
that  the  site  releases  its  lists.  In  addition,  Forbes.com 
adds  new  functionality  every  week  to  the  150-plus 
applications  that  run  the  site.  The  company  can’t 
afford  for  its  site  to  be  down,  because  visitors  will 
simply  click  over  to  a  competitor’s  site. 

“It’s  critically  important  that  we  constantly 
test  the  site  to  ensure  that  it  has  the  scalability  to 
handle  both  surges  in  traffic  and  the  addition  of 
new  software,”  Smith  says.  “We  need  a  tool  that 
can  push  traffic  far  beyond  what  we  think  we’ll  get, 
so  we  can  analyze  our  upper  limits  and  anticipate 
where  things  might  break.” 

Optimizing  TCP  Throughput 

During  the  tests  on  Forbes.com's  new  data  cen¬ 
ter  infrastructure,  the  team  used  the  Avalanche  test 
appliance  from  Spirent  Communications  to  gener¬ 
ate  a  mix  of  users  and  traffic  rates  that  emulated 
the  expected  traffic  on  Forbes.com.  The  test  team 
configured  the  Avalanche  to  simulate  30,000  con¬ 
current  users  and  12,000  to  15,000  hits  per  second 
while  the  site  served  up  more  than  400  Mbps  of 
content. 

Through  Avalanche  testing,  the  team  discovered 
that  throughput  was  below  acceptable  levels,  with 
the  site  serving  only  a  fraction  of  the  required  pages. 
By  testing  with  Avalanche,  they  identified  the  poten¬ 
tial  breaking  point  of  the  new  site. 

The  team  quickly  set  up  tests  to  identify  the  limit¬ 
ing  performance  thresholds  across  several  metrics 
-  bandwidth,  transactions  per  second  and  concur¬ 


Contact  Spirent  at  1-800-927-2660  or  to  download  the 
Forbes.com  case  study,  go  to: 

www.  spirentcom .  com/forbes 


rent  users.  Once  the  bottlenecks  were  identified, 
it  was  revealed  that  the  Forbes.com  traffic  mix  had 
been  constrained  by  servers  that  were  accepting  a 
low  rate  of  new  TCP  connections. 

The  servers  in  the  new  data  center  had  been 
tuned  to  create  more  TCP  connections  than 
the  previous  process  could  actually  thread.  By 
re-tuning  the  new  servers  to  deliver  a  higher  level 
of  TCP  throughput,  a  more  robust  user  experience 
was  achieved. 


“We  used  the  Avalanche  to 
test  the  limits  of  the  new  site 
until  we  felt  that  it  was  ready 
to  flip,”  Smith  says.  “When 
we  cut  over,  we  had  every 
confidence  that  it  would  run 
perfectly  —  and  it  did.” 


Flawless  Performance 

After  optimizing  the  Web  servers,  Forbes.com 
used  the  Avalanche  to  test  its  application  servers, 
the  performance  of  hardware  devices  such  as  load 
balancers  and  even  the  failover  site.  When  the  day 
came  to  switch  over  to  the  new  site,  Forbes.com  felt 
completely  secure  that  the  new  Web  infrastructure 
could  handle  the  demands  of  real-world  traffic. 

“We  used  the  Avalanche  to  test  the  limits  of  the 
new  site  until  we  felt  that  it  was  ready  to  flip,”  Smith 
says.  “When  we  cut  over,  we  had  every  confidence 
that  it  would  run  perfectly -and  it  did.  The  enhanced 
reliability  and  performance  achieved  through 
Avalanche  testing  has  delivered  immeasurable 
value.  By  helping  us  prevent  downtime,  Avalanche 
saves  us  both  time  and  money.” 
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Can  you  see  it? 


Middleware  is  Everywhere 


, 


Tivoli 

Key 

MIDDLEWARE  IS  IBM  SOFTWARE.  Identity  management 
software  that  uses  single  sign-on  technology  to  ensure  that 
the  right  access  is  given  to  the  right  people.  Open,  modular 
Tivoli  security  software  that  automates  processes  between 
employees,  partners,  customers  and  suppliers  -  while 
helping  to  reduce  costs.  It’s  how  everyone  involved 
gets  the  information  they  need.  On  time.  And  on  demand. 

1.  Buyer  downloads  competitive  pricing. 

2.  Manager  securely  retrieves  invoices. 

3.  Driver  obtains  specific  delivery  details. 

4.  Ex-vendor  denied  access  to  intranet. 

5.  Customer’s  identity  protected  from  theft. 

Middleware  for  the  on  demand  world.  Learn  more  at  ibm.com/middleware/identity  DEMAND  BUSINESS 

SECURITY  ADVANCES  PUSH  INTRUSION 
DETECTION  DEEPER  INTO  THE  NETWORK, 

RELEGATING  ITS  ROLE  TO  FORENSICS 
INVESTIGATION  AND  INTERNAL  MONITORING. 


■BY  DEBORAH  RADCLIFF 

Drowning  in  signature  libraries 

and  reactive  event  information  that  is  of  little  value  in  locating 
attacks  in  progress,  network  security  managers  are  fed  up  with 
signature-based  intrusion-detection  systems  that  have  been  ti  e 
backbone  of  network  security  Amid  an  ever-shrinking  time  gap 
between  vulnerabilities  and  exploits,  signature-matching  IDS 
already  has  become  obsolete,  analysts  and  users  say 

"We've  hit  the  wall  with  IDS,”  says  Bill  Boni,  chief  information  security  officer  of 
Motorola  in  Schaumburg,  111.  “We  get  a  million  IDS  alerts  a  week.  It's  choking  our  con¬ 
soles,  and  we  can’t  tell  the  difference  between  an  event  and  a  non-event,” 

Sales  of  the  burdensome,  expensive  technology  are  flattening,  according  to 
Infoneties  Research.  The  research  firm  predicts  that  this  year  will  close  with  sales  of 
$281.1  million,  and  sales  are  forecast  to  edge  up  to  $341.5  million  in  2007. 

But  don’t  count  on  IDS  to  die  in  2005  as  Gartner  predicted  in  a  con' ;  wersial  report 
last  year.  Instead,  IDS  will  become  part  of  a  greater  framework  of  security  information 
management  (SIM),  in  which  IDS  data  can  be  augmented  by  more  reliable  monitoring 
and  reporting  technologies.  In  the  near  term,  this  relegates  IDS  to  a  forensics  and 
analysis  role  for  after-the-fact  inspection,  users  and  analysts  say.  In  five  years  or  so, 
a  coalescence  of  compliance  management  and  endpoint,  kernel-level  security  could 
cause  the  demise  of  signature-based  IDS  altogether. 

“What  we're  going  to  see  is  a  hybrid.  Monitoring  at  the  edge  and  core,  sensor 
devices  and  remediation  consoles  all  over  the  network  that  work  together,”  says  Joel 
Snyder,  principal  at  Opus  One  and  a  Network  World  Lab  Alliance  member.  “Just  like 
your  network  isn't  one  box  that  you  plug  everything  into,  it’s  the  same  with  your  IDS 
landscape." 

Monitoring  mania 

Already,  frustrated  IT  leaders  like  Boni  are  working  around  IDS’  maddening  short¬ 
comings  by  correlating  IDS  alerts  with  other  security  and  vulnerability  information 
—  something  Boni’s  team  did  by  writing  its  own  middleware.  SIM  vendors  also  have  j 
become  more  modular  in  their  approach  to  security  information  analysis  by  layer¬ 
ing  proprietary  vulnerability  management,  anomaly  detection,  network  assessment  , 
and  even  honeypot  modules  with  IDS  modules  to  better  pinpoint  and  respond  to  j 
security  events. 

"Where  we’ve  failed  is  in  that  detection  has  been  binary  before  —  yes,  this  is  an 
attack;  no,  it’s  not  an  attack,”  says  Andrew  Yee,  CEO  and  president  of  intrusion  man¬ 
agement  vendor  NFR  Security.  “There  needs  to  be  qualitative  assessments  of  each 
detection.  So  the  first  change  you’ll  see  in  intrusion  management  is  the  inclusion  of 
vulnerability  management  and  other  discovery  tools  falling  under  a  category  of 
what  1  call  enterprise  security  intelligence.” 


Leading  the  charge  in  better  security  information  are  the  intrusion-prevention  sys¬ 
tem  (IPS)  vendors,  which  use  a  variety  of  proprietary  network  and  traffic  analysis 
engines  to  reduce  reliance  on  signatures  and  avoid  the  same  false-positive  mistakes 
their  IDS  forefathers  made.  IPS  sits  in-line  at  the  network  perimeter,  scanning  incom¬ 
ing  traffic  for  signs  of  malicious  code.  Unlike  IDS,  it  can  drop  suspect  traffic  auto¬ 
matically  or  alert  network  security  staff,  who  will  handle  it  manually, 

IPS  vendors  project  that  their  tools  ultimately  will  replace  IDS  altogether. 
Infonetics  projects  a  jump  from  $132.3  million  to  $425.5  million  in  sales  for  inline  IDS 
between  2004  and  2007.  Gartner,  too,  sees  IPS  sales  surpassing  IDS  sales  by  the  end 
of  next  year,  says  Craig  Young,  a  Gartner  analyst,  “Most  vendors  have  already  made 
the  switchover  from  pure  IDS  to  IPS  with  some  sort  of  mitigation,’1  he  says, 

“The  average  intrusion-detection  system  has  about  6,000  signatures.  But  our 
clients  are  only  running  intrusion  prevention’s  blocking  mode  on  about  25  to  50  sig¬ 
natures.  The  rest  are  still  run  in  detection  mode,”  says  Paul  Proctor,  vice  president 
of  the  security  and  risk  strategies  practice  at  Meta  Group, 

For  example,  Boni’s  team  at  Motorola  is  looking  into  using  IPS  as  a  means  to  dra¬ 
matically  reduce  IDS  alerts  by  blocking  the  most  commonly  known  viruses,  worms 
and  attacks  at  the  network  edge.  “If  we  can  calibrate  the  IPS  sensors  and  they  block 
900  of  1,000  attacks,  then  that  leaves  only  100  events  hitting  our  IDS,”  he  says, 

But  all  of  this  extra  monitoring  capability  will  be  costly,  According  to  Snyder, 
replacing  a  traditional  $10  LAN  switch  with  IPS-capable  LAN  equipment  costs  hun¬ 
dreds  to  thousands  of  dollars  per  port  sensor.  That  doesn’t  include  the  cost  of 
human  management  and  maintenance  costs  of  the  IPSs  on  those  ports. 

Product  choices  will  be  complicated,  too,  because  additional  monitoring  tech¬ 
nologies  are  sold  separately  as  adjunct  modules  to  signature-based  IDS/IPS,  Those 
monitoring  technologies  come  in  so  many  flavors:  anomaly  detection,  heuristics,  traffic 
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FIRST  GENERATION 


Traditional  IDS  is  placed  on  a  router  or  switch  port  at  the  perimeter 
the  network  and  looks  for  inbound  malicious  traffic,  matching  signature^ 
in  the  database.  b  b 

__ _  1  IDS  sensors  on  the  network  passively 

^  ■>.  monitor  traffic  flowing  through  them. 
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s  IDS  sensors  check  traffic 
against  the  IDS  console's 
database  of  attack 
signatures. 


IDS  console 


Network 
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3  Whenever  the  traffic  matches  a  signature,  the  IDS  triggers 
an  alert.The  trouble  is,  the  alerts  aren't  necessarily 
pertinent  to  the  network  in  question,  which  causes  an 
abundance  of  false  positives.  Alerts  also  come  on  a  packet- 
by-packet  basis,  creating  a  flood  of  alerts  for  what  might 
only  be  a  single  event. 


NEXT  GENERATION 

IDS  is  already  becoming  part  of  security  information  management  (SIM) 
frameworks  that  augment  IDS  data  with  more  reliable  monitoring  and 
reporting  technologies  to  reduce  the  problem  of  false  positives.  These 
advances  make  event  information  more  manageable  and  relegate  IDS  to  a 
forensics  discovery  tool  and  internal  subnet  monitoring  device. 


1  Honeypots  trap  traffic 
blocked  by  firewall  for 
,  analysis. 
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2  Active  and  passive  scanning  sensors 
a  sit  in-line  using  signature-matching, 

'  heuristics  (behavior  analysis)  and  deep 
packet  inspection  to  identify  and  drop 
malicious  traffic  per  user  specification. 
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3  IDS  sensors  placed  deeper  in  the  4  Sensors  from  all  monitoring 
network  to  catch  internally  devices  send  information 

^  launched  malicious  code,  which  to  the  SIM  console  for  corre- 

IPS  can’t  detect  at  the  perimeter.  lation,  analysis  and, alerts. 

5  SIM  also  includes  vulnerability  and  configuration  , 

]  management  modules  that  check  devices  and,-  'J  ' 

^  correlate  that  information  with  event  information.. ;  -  -  :': 
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Rather  than  catching  attacks  after  they  happen;  in  about  five  years  < 
kernel-level  security  policies  enforced  on  each  endpoint  device  will  rid 
the  network  of  vulnerabilities.  IDS  and  IPS  will  fade  altogether  and  the 
SIM  console  will  be  used  primarily  fdr  compliance  checks  and  policy  w 
updates  on  devices.  ;  '  w  i 
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A  SIM  console  still  will  be  needed  to  accept  2 
information  from  firewall  and  honeypot,  but  will 
be  used  more  for  policy  compliance  checks  ’and 

-updates  On  devices. 
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pattern  analysis,  application  analysis,  payload  analysis,  pas¬ 
sive  vs. active  listening, and  so  on  (see  graphic,  right). 

IPS  vendor  Reflex  Security  eliminates  false  positives 
through  seven,  different  detection  modules  including  anti¬ 
virus,  signatures,  three  anomalous  behavior  modules  (look¬ 
ing  for  formation  of  packets,  time  and  completion  of  the 
two-way  handshake), and  a  permission  module  similar  to  a 
firewall.  NFR  sells  an  operating  system  fingerprinting  mod¬ 
ule,  a  technique  that  uses  a  proprietary  sniffer  to  listen  to 
device  chatter  and  determine  what  applications  are  run¬ 
ning  on  the  network.  Still  others,  including  TippingFbint 
Technologies,  SolidCore  and  Mirage  Networks,  market  their 
flavors  of  heuristics  to  determine  if  an  attack  is  relevant. 
Mirage  is  taking  it  a  step  further  and  dropping  malicious 
traffic  into  a  honeypot  device  for  analysis  and  forensics. 

“The  market  is  very  enamored  with  anything  that  pro¬ 
vides  value  because  people  are  tired  of  the  care  and  feed¬ 
ing  of  traditional, signature-based  intrusion-detection  tech¬ 
nologies,”  Proctor  says.“But  it’s  an  arms  race  out  there.  And 
that’s  creating  a  lot  of  confusion.” 

To  simplify  matters,  Proctor  recommends  focusing  on 
what  source  of  data  you  want  to  look  at  and  how  it  fits  your 
architectures  (see  www.nwfusion.com,  DocFinder:  4540). 

Rand  McNally  wanted  to  monitor  just  the  inbound  traffic 
to  its  most  lucrative  e-commerce  sites,  including  custom 
maps  and  K-12  educational  materials.  So  the  publisher  put 
Lancope’s  Stealth  Watch  on  Internet-facing  routers  to  mon¬ 
itor  inbound  traffic  for  atypical  behavior. 

Stealth  Watch  creates  a  baseline  of  common  traffic  pat¬ 
terns,  then  correlates  anomalous  traffic  reports  with  pat¬ 
tern  recognition  and  attack  signature  libraries  to  give 
Rand  McNally  a  top  10  threat  rating  for  use  in  prioritizing 
response. 

“You  see  you’re  being  scanned  every  second  of  every 
da>(  says  Bob  Wood,  senior  network  security  analyst  at 
Rand  McNally  in  Skokie,  Ill.“We  can  see  what  type  of  pack¬ 
ets,  the  amount  of  packets  and  what  ports  they’re  going 
against.  If  it  looks  like  someone’s  doing  a  specific  attack  on 
an  FTP  port,  we  know  it’s  bad.” 

Despite  more  reliable  information,  Wood  has  not  turned 
on  StealthWatch’s  in-line  IPS  capability  for  fear  it  would 
block  legitimate  customer  traffic  from,  say  a  large  trucking 
client  logging  on  to  the  IntelliRoute  site  in  need  of  a  route 
map  for  a  driver  in  a  hurry 

“In  a  dream  intrusion-prevention  environment,  you’d 
have  something  monitoring  all  of  your  traffic  and  stopping 
the  bad  guys  wherever  they’re  at.  But  that  isn’t  the  reality 
and  never  will  be,”  Wood  says.  “IPS  will  get  better,  but  you 
still  have  that  chance  of  blocking  the  wrong  thing.” 
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•  TRAFFIC  ANALYSIS 

•  PATTERN  RECOGNITION 

•  SIGNATURE-MATCHING 

•  ANOMALY-BASED 

•  HEURISTICS  (BEHAVIOR  ANALYSIS) 

CORRELATION  AND  FORENSICS  TECHNIQUES 
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The  signature  quagmire 

False  positives  stem  from  IPS’  reliance  on  signatures,  says 
Daniel  Hay  network  security  engineer  at  Drexel  University 
in  Philadelphia. 

“Considering  how  fast  malware  is  updated  and  changed 
just  enough  to  bypass  IDS/IPS  signatures,  you  try  to  create 
signatures  that  are  less  stringent,”  he  says.  “Unfortunately 
this  creates  false  positives  and,  in  an  IPS,  would  cause  legit¬ 
imate  traffic  to  be  blocked. That’s  not  acceptable  in  a  pro¬ 
duction  environment  like  ours.” 

Drexel  uses  a  SIM/event  management  console  by 
Tenable  Security  called  Lightning  Console  that  correlates 
Drexel’s  network  flow  data  and  other  network  traffic  infor¬ 
mation  with  Tenable’s  scanners, 

Nessus  and  NeVo.  Nessus  scans 
devices  for  open  ports  and 
other  unpatched  vulnerabili¬ 
ties,  while  NeVo  passively  sits 
like  a  sniffer  on  the  network 
and  runs  continuously 

“NeVo  will  pick  up  if  a  port  is 
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Fusion  exclusive:  Focus  on  four 
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monitoring,  correlation  technolo¬ 
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Signature  no  longer  valid 

Signature-based  intrusion  detection  is  already  obsolete  not  only  because  of  the  technol¬ 
ogy's  information  management  deficiencies  but  also  because  there  are  too  many  ways  to  fool  it. 

Even  Internet  Security  Systems  realizes  that  signatures  aren't  cutting  it  any  longer.  Last  month,  it 
announced  a  new  threat  prevention  component  to  Proventia  that  relies  less  on  signatures  and  more  on  vul¬ 
nerability  management. 

Attack  and  penetration  test  tool  kits,  such  as  Canvas  and  MetaSploit,  can  change  attack  patterns  on  the  fly. 
MetaSploit  also  includes  tools  that  encode  shellscripts  (executable  hacker  code),  encrypt  the  remote  shell  con¬ 
nection  and  do  application  layer  fragmentation  in  such  random,  tiny  bits  that  they  can’t  be  analyzed  by  the  most 

well-tuned  IDS  sensor. 

"Imagine  if  an  IDS  had  to  decode  everything  that  went  by.  Then  on  top  of  that,  what  if  everything  was  sent  in 
small  packets.  Let’s  say  the  slash  came  across  in  one  packet,  ‘b’  in  another  ‘i’,  and  ‘n’  in  two  more,”  says  Jose 
Avila,  founder  of  H.E.  Security  Group. 

iDSs  can't  see  an  encrypted  remote-shell  connection  because  they  can't  perform  application-layer  de-frag- 
montation  —  it  would  take  too  much  processing  power,  among  other  things.  Furthermore,  IDS  sensors  will  only 
■  ■  rt  on  shellscript  if  it  matches  a  signature,  which  is  easy  to  change  by  encoding  it. 

I  here  are  many  other  ways  to  get  around  signature-based  IDS  systems,  so  it’s  no  wonder  vendors  are  going 

•  ;'v  with  other  monitoring,  correlation  and  blocking  technologies.  _  .  ,  „  . 

—  Deborah  Radchff 


open  and  traffic  has  gone  through  it  at  10  a.m.Say  I  did  a 
Nessus  scan  at  9  a.m.and  saw  that  port  was  not  open  at  the 
time.  It  might  be  something  I  want  to  look  into,”  Hay  says. 

In  addition  to  other  forms  of  security  monitoring,  Drexel 
still  uses  signature  analysis,  which  is  built  into  the  NeVo 
scanner.  But  some  companies,  such  as  QuadraMed,are  all 
too  happy  to  rid  themselves  of  their  signature-based  sys¬ 
tems  altogether. 

“Every  time  we  got  a  report  off  an  IDS,  it  was  pulse-raising. 
There’d  be  two  $100,000-a-year  Cisco  Certified  Network 
Engineers  plowing  through  event  logs  trying  to  figure  out 
.what’s  going  on,”  says  Chris  Van  Waters, senior  director  of  IT 
for  QuadraMed,  a  Westin,Va.,  healthcare  technology  com¬ 
pany  with  1,000  employees.  “Meanwhile,  we’ve  still  got  the 
network  degraded,  traffic’s  going  through  the  roof,  and  we 
don’t  know  where  it’s  coming  from.” 

-In  February-QuadraMed  replaced  its  two  Cisco  IDSs 
with  Security's  SecureVantage  security  policy  monitoring 
suite,  which  uses  heuristics  technology  called  Network 
Behavior  Engine  to  monitor  for  conformance  to  enter¬ 
prise  security  policies. 

The  problem  with  IDS  and  IPS  systems,  says  Van  Waters,  is 
that  they  assume  everything  is  good  until  proven  bad. 
Policy  monitoring  defines  what  is  acceptable  and  anything 
outside  of  that  is  assumed  bad. 

“As  soon  as  we  plugged  Securify  in,  we  had  visibility  to 
everything  and  were  finally  able  to  define  what  traffic  was 
normal  and  what  wasn’t  and  tweak  our  policies  accord¬ 
ingly’  he  says.  “This  will  give  us  the  ability  to  see  and 
respond  to  zero-day  exploits  because  we  can  see  what’s 
happening  and  where.” 

IDS  extinction 

Policy  monitoring  technologies  like  this  could  lead  to  the 
demise  of  IDS/IPS  in  five  or  so  years,  especially  when  part¬ 
nered  with  endpoint  policy  enforcement,  says  Mike 
Wanklyn,  a  communications  security  expert  for  the  U.S. 
Army  What’s  still  needed  is  kernel-level  enforcement  to 
make  sure  policies  can’t  be  tampered  with,  which  he 
believes  is  five  or  more  years  away 

“If  the  kernel  on  every  device  is  locked  down,  viruses 
aren’t  allowed  to  execute  and  can’t  prolif¬ 
erate.  An  attack  on  a  device  would  be 
stopped  because  that’s  not  an  action  that 
would  be  recognized  as  legitimate,” 
Wanklyn  says. 

Fundamentally,  we’ll  have  to  get  away 
from  signatures  and  move  monitoring 
lower  down  the  ISO  stack  to  the  applica¬ 
tion  layer  if  we’re  going  to  effectively  con¬ 
trol  malicious  code  events  without  an 
unreasonable  time  gap  between  discov¬ 
ery  and  repair,  adds  Winn  Schwartau,  pres¬ 
ident  of  the  Internet  Awareness  Company. 

“Intrusion-detection  companies  got 
locked  in  to  the  virus  mode  because  it’s  easiest,  and  it 
allows  them  to  make  constant  updates  and  have  an 
annuity  fee,”  Schwartau  says. “We  need  to  look  back  to  a 
patent  from  1999  from  the  University  of  Idaho  that  shows 
how  to  do  low-level  malicious  code  detection  before  it 
affects  the  network  or  the  application.  The  technology 
exists  and  [Defense  Advanced  Research  Projects 
Agency]  is  using  it.” 

In  the  near  future, IDS  will  take  a  back-seat  role  mainly  as 
a  forensics  and  event  analysis  tool,  Snyder  says. 

“If  I  were  going  to  rebut  the  Gartner  report,  I’d  say  1  don’t 
see  IDS  as  dead.  I  see  IDS  technology  being  built  into  other 
products  and  ultimately  being  used  for  forensics  purpos¬ 
es,”  Snyder  says.“What’s  dead  is  the  sales  pitch  that  IDS  will 
protect  the  network.  It  never  did  that  in  the  first  place.” 

Radcliffis  a  freelance  writer  in  Northern  California.  She  can 
be  reached  at  deb@radcliff.com. 
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Network  vulnerability 
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management 


Eight  network  scanning  tools  offer  beefed- 
up  management  and  remediation 


BY  MANDY  ANDRESS,  NETWORK  WORLD  LAB  ALLIANCE 


A  vulnerability  rated  as  a  low  risk  this  morning  could  turn  into  your  worst 
nightmare  tonight.  To  meet  the  ever-increasing  speed  with  which  exploits 
are  written  and  propagated,  traditional  network-based  vulnerability  scan¬ 
ners  have  morphed  into  more  full-scale  vulnerability  management  products. 


In  our  latest  Clear  Choice  Test  of  eight 
products  —  assessing  their  accuracy  in 
pinpointing  holes  in  the  network  and 
their  usefulness  in  addressing  those  vul¬ 
nerabilities  —  we  found  vulnerability 
identification  success  rates  are  still  low 
across  the  board  and  the  scans  can 
wreak  havoc  on  wireless  access  points. 
They  also  can  do  damage  to  some  print¬ 
ers,  and  can  suck  up  network  bandwidth 
and  CPU  utilization  on  target  machines 
(see  How  we  did  it,  www.nwfusion.com, 
DocFinder:  4538). 

Vulnerability  remediation  and  tracking 
are  the  major  management  features 
added  to  these  products  since  our  last 
test  (DocFinder:  4525),  providing  mecha¬ 
nisms  to  assign  and  alert  administrators 
to  new  vulnerabilities.  These  additions 
range  from  providing  vulnerability  reme¬ 
diation  information  to  offering  full-blown 
ticketing  systems  that  automatically  veri¬ 
fy  if  an  issue  has  been  fixed. 

Business  analysis  features  have  been 
included  in  many  products.  With  this 
functionality  assets  can  be  given  values 
—  in  terms  of  cash  or  business-critical 
value.  How  vulnerabilities  potentially 
could  affect  business  and  give  manage¬ 
ment  a  more  accurate  picture  of  the  com¬ 
pany’s  overall  security  posture  can  be  cor¬ 
related.  A  critical  vulnerability  on  the 


CLEAR  CHOICE 


Tenable's  NeVo  2.0  passive  scanner 
gets  the  nod  for  the  most  innovative 
technology  we  saw  in  this  round  of  testing. 
With  passive  scanning,  NeVo  finds 
network  vulnerabilities  by  continuously 
analyzing  traffic.  Because  it’s  always 
listening,  it’s  not  limited  to  scheduled  scan 
times  and  can  quickly  catch  the  new  server 
placed  on  the  network  running  a  vulnerable 
version  of  Secure  Shell,  for  example. 
Additionally,  because  the  checks  are 
passive,  you  don't  have  to  worry  about 
scan  impact  on  your  network. 


core, Internet-facing  system  that  generates 
revenue  should  be  treated  differently 
than  a  critical  vulnerability  on  a  system 
inside  a  test  network  that’s  isolated  from 
the  rest  of  the  company  for  example. 

The  companies  that  provided  products 
and/or  services  for  this  test  are  Lock- 
down  Networks,  nCircle  Network  Sec¬ 
urity  PredatorWatch,  Qualys,  StillSecure, 
Tenable  Network  Security  TraceSecurity 
andVisionael.EEye  Digital  Security,  Inter¬ 
net  Security  Systems,  Foundstone,  NetlQ, 
Bindview  and  Harris  declined.  We  also 
tested  Citadel’s  Hercules  (see  story  page 
52)  and  Sunbelt  Software  (DocFinder: 
4539),  but  because  they  offer  no  scan¬ 
ning  module  or  management  features, 
respectively  we  could  not  directly  com¬ 
pare  them. 

Qualys’  QualysGuard  is  our  Clear 
Choice  winner  based  on  its  accuracy 
and  strong  management  capabilities. 
NCircle’s  IP360  comes  in  second,  only 
slightly  trailing  Qualys  in  vulnerability 
identification  and  general  ease  of  use. 
Visionael  Enterprise  Security  Protector 
and  Lockdown’s  Auditor  also  rose  to  the 
top  based  on  their  developing  manage¬ 
ment  capabilities. 

QualysGuard  3.3 

QualysGuard  —  one  of  the  two  vulner¬ 
ability  assessment  services  we  tested  — 
has  a  1U  appliance  that  sits  on  your  net¬ 
work  and  lets  Qualys  scan  your  internal 
subnets.  Setup  is  easy  and  the  quick  start 
guide  will  have  you  scanning  in  no  time. 
Because  it  is  provided  as  a  service,  the 
Qualys  team  seamlessly  adds  the  vulner¬ 
ability  checks. 

Our  discovery  assessment  focuses  on 
how  well  the  products  find  and  identify 
systems,  system  software  and  services 
running  on  the  network.  Our  accuracy 
measurement  takes  into  account  how 
well  the  product  identified  vulnerabilities 
that  existed  on  a  sample  of  lab  systems 
(see  “How  we  did  it,”  DocFinder:  4531). 

Qualys  scored  highest  in  our  operating 
system  identification  checks  and  was  the 
only  product  to  correctly  identify  the 
wireless  access  point.  It  performed  as 


QualysGuard  collected  our  Clear  Choice  designation  based  on  its  accuracy  and  strong  man¬ 
agement  capabilities. 


well  as  any  of  the  other  products  in  the 
vulnerability  accuracy  tests,  but  still  re¬ 
ported  some  false  positives  and  false  neg¬ 
atives.  It  did  perform  strongest  among  the 
products  in  identifying  Windows  system 
vulnerabilities,  though. 

Scan  impact  was  low  from  a  network 
perspective,  but  we  did  need  to  restart  a 
Red  Hat  Enterprise  system  that  became 
completely  unresponsive  after  the  scan. 

Overall,  QualysGuard  is  very  flexible 
and  easy  to  use.  IT  staff  and/or  corporate 
executives  can  be  given  varying  levels  of 
access  to  system  groups  and  reports.  Scan 
and  report  templates  provide  flexibility  in 
the  types  of  checks  that  are  performed 
and  how  the  results  are  viewed. 

Remediation  policies  can  be  config¬ 
ured  to  automatically  assign  tickets  in  the 
Qualys  ticketing  system  to  defined  indi¬ 
viduals  based  on  scan  results.  Qualys 
could  improve  on  remediation  if  it  added 
some  preemptive  notification  mecha¬ 
nism  to  tell  IT  folks  they  have  been 
assigned  a  remediation  task. 

In  terms  of  providing  some  business 
analysis  capabilities,  Qualys  lets  you  rank 
assets  in  terms  of  how  critical  they  are  to 
your  business.  A  score  is  then  provided  in 
the  summary  based  on  your  overall 
exposure  level  that  can  be  weighted 
based  on  how  critical  the  vulnerable 
asset  might  be. 

One  of  the  best  features  of  QualysGuard 
is  its  mapping  functionality  which  pro¬ 
vides  a  graphical  representation  of  all  the 
devices  it  discovers  on  your  network.You 
can  drill  down  on  the  map  to  identify  the 
operating  systems  and  services  running 
on  these  devices,  but  can’t  see  informa¬ 
tion  on  identified  vulnerabilities  from  this 


vantage  point.  In  addition  to  the  mapping, 
we’d  also  like  to  see  some  sort  of 
overview  console  that  provides  high-level 
information  on  the  state  of  vulnerabilities 
on  the  network. 

NCircle  IP360  6.2 

NCircle  provided  a  central  reporting 
server,  VnE  Manager,  and  scanning  point, 
Device  Profiler.  With  this  tiered  approach, 
nCircle  runs  in  a  more  distributed  model 
than  some  of  the  other  products  tested. 

The  1P360  provides  the  best  business 
impact  and  risk-rating  features,  offering 
unparalleled  levels  of  detail.  Users  can 
provide  asset  values  for  each  host  and 
calculate  risk  scores  for  each  system 
based  on  the  asset  value.  This  value  is  a 
quantitative  number,  generally  dollars,  of 
the  value  of  the  asset  to  the  company  As 
a  consequence  of  this  increased  func¬ 
tionality  it  is  not  as  easy  to  use  as  some  of 
the  other  products  tested. 

For  system  discovery,  nCircle  uses 
dynamic  host  discovery  its  technique  for 
continuously  evaluating  environments 
for  new  systems  on  the  network.  After 
running  on  the  network  for  a  few  min¬ 
utes,  the  system  had  found  all  the  devices 
in  the  lab. 

For  operating  system  identification, 
nCircle  joined  Qualys  as  the  only  prod¬ 
ucts  to  correctly  identify  the  Cisco  VPN 
Concentrator.  But  it  missed  a  few  key  sys¬ 
tems  that  most  other  products  identified, 
including  the  FreeBSD  5.2  server  and  the 
Quantum  Snap  Server. 

For  vulnerability  identification,  nCircle 
consistently  reported  the  smallest  num¬ 
ber  of  vulnerabilities,  minimizing  false 
See  Vulnerability,  page  50 
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The  highly  dependable  HP  BladeSystem  features  Intel®  Xeon™  Processors.  Now  it's  possible  to  react  to  changing  business  conditions 
in  real  time— in  seconds.  Application  deployment  and  reprovisioning  become  an  automated  process.  From  single  console  remote 
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positives,  but  potentially  introducing  some 
false  negatives  as  well. 

While  nCircies  scan  results  might  appear 
to  include  false  negatives,  following  the 
remediation  guidelines  for  identified  vul¬ 
nerabilities  will  address  the  known  vulner¬ 
abilities  in  the  system. 

NCircle  accrued  the  lowest  network  and 
system  impact,  with  no  identified  issues  or 
spikes  in  network  traffic  or  CPU  utilization. 

One  unique  feature  of  the  1P360  is  its  con¬ 
tinuous  scanning  mode,  which  provides 
non-intrusive,  back-to-back  scans  of  the 
whole  network  or  of  only  select  segments. 

This  is  idea!  for  critical  systems  or  net¬ 
works  that  need  to  be  monitored  at  all 
times.  NCircle  provides  a  classic  scanning 
model  of  scheduling  scans,  grouping  sys¬ 
tems  and  providing  detailed  user  access. 

NCircle  takes  a  different  approach  in  pro¬ 
viding  vulnerability  remediation  informa¬ 
tion.  For  the  sample  of  vulnerabilities  we  re¬ 
viewed,  nCircle  provided  links  to  patched 
versions  or  specific  patches  for  a  variety  of 


operating  systems.  In  a  few  instances,  the 
vulnerability  remediation  information  did 
not  match  the  specific  vulnerability  identi¬ 
fied,  although  following  the  recommended 
course  of  action  would  in  most  cases  have 
fixed  the  vulnerability  because  one  patch 
would  fix  several  issues. 

Visionael  Enterprise  Security  Protector 

Visionael  uses  Nessus  as  its  underlying 
scanning  engine  and  focuses  on  providing 
some  of  the  best  vulnerability  management 
functionality  such  as  a  customizable  portal 
for  viewing  security  trending  information. 

Installing  Visionael  on  Red  Hat  Enterprise 
worked  well,  although  wed  like  to  see 
Visionael  better  secure  the  assessment 
server  by  default  rather  than  leaving  that  up 
to  the  systems  administrator. 

Upon  initial  logon, Visionael  provides  the 
best  portal  functionality,  allowing  cus¬ 
tomization  for  each  user  and  quick  views 
of  identified  vulnerabilities,  current  risk 
level,  trending  and  trouble  ticket  status. 

There  were  a  few  issues  in  terms  of  sys¬ 
tem  identification  for  the  hosts  on  the  lab 
network,  namely  system  identification  was 
not  happening  as  we  configured  it.Working 


with  support,  we  enabled  the  detailed  oper¬ 
ating  system  checks  and  reduced  the  con¬ 
current  threads  from  200  to  20.  With  these 
changes  in  place,  we  got  operating  systems 
identification  results,  but  they  were  not  as 
detailed  as  we  would  like  to  see.  For  exam¬ 
ple,  all  Windows  systems,  regardless  of  ver¬ 
sion,  reported  back  as  “Windows.” 

For  network  and  system  impact, Visionael 
is  quite  loud. The  scan  locked  up  the  wire¬ 
less  access  point,  bluescreened  a  Windows 
XP  system  and  consumed  30%  of  the  CPU 
on  the  monitored  target  system. 

Viewing  individual  scan  results  provides 
an  overview  of  identified  vulnerabilities, 
with  a  breakout  summary  of  the  SANS  Top 
20,  which  is  unique  to  this  product.  We 
would  like  to  be  able  to  drill  down  into  the 
report  directly  from  the  vulnerability  num¬ 
bers  reported  in  this  overview  screen. 

The  reporting  module  provides  a  wizard 
to  create  custom  reports.  But  the  cus¬ 
tomization  options  are  so  abundant  that 
they  are  almost  overwhelming. 

The  ticketing  system  is  very  strong,  al¬ 
though  tickets  only  can  be  auto-assigned 
for  SANS20  or  high-level  vulnerabilities, 
which  is  fine  if  you  prefer  to  do  more  de¬ 


tailed  analysis  on  the  other  levels  of  vul¬ 
nerabilities  before  tasking  them  out. 

Visionael  can  auto-remediate  identified 
vulnerabilities,  but  this  functionality  was 
not  enabled  in  the  license  we  received  for 
testing. 

For  business  analysis,  Visionael  provides 
strong  trending  information,  executive 
reports  and  business  rank,  based  on  assign¬ 
ing  systems  one  of  four  levels  depending 
on  how  critical  it  is  to  your  business. 

Lockdown  Auditor  3.0 

Auditor  provides  the  most  intuitive  man¬ 
agement  features,  but  lags  a  bit  with  its 
scanning  engine. 

Lockdowns  1U  scanning  appliance  is  the 
most  intrusive,  utilizing  40M  bytes  of  net¬ 
work  bandwidth  and  on  average  40%  CPU 
on  the  target  system.  Administrators  do  not 
have  any  options  to  change  scan  configu¬ 
ration  settings. 

It  performed  fairly  well  in  terms  of  oper¬ 
ating  system  identification,  missing  only 
two  devices  and  not  clearly  distinguishing 
a  few  Windows  versions.  In  terms  of  accu¬ 
racy  Lockdown  Auditor  hit  and/or  missed 
See  Vulnerability,  page  52 
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QualysGuard  3.3 


Company:  Qualys,  www.qualys.com. 
Cost:  $67,500  for  1,000  servers,  and 
$102,500  for  1,000  servers  and  9,000 
workstations.  Pros: 
Excellent  operating  system 

_ identification;  highly 

RCHOIGEjO  flexible  scans  and  reports. 

'  Cons:  No  overview  portal; 
no  alerts  sent  on  ticket  assignment. 
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Company:  nCircle  Network  Security, 
www.ncircle.com.  Cost:  Starts  at  $60,000 
for  1,000  nodes  and  $150,000  for  10,000 
nodes.  Pros:  Non-intrusive  scans; 
excellent  impact  analysis  tools, 
continuous  scanning.  Con:  Vulnerability 
descriptions  need  improvement. 


Company:  Visionael,  www.visionael.com. 
Cost:  Starts  at  $15,000  for  1,000  devices 
and  $120,000  for  10,000  devices.  Pros: 
Detailed,  customizable  portal  page; 
excellent  vulnerability  remediation 
information.  Cons:  Loud,  intrusive  scan; 
sensitive  operating  system  identification. 


Lockdown  Auditor  3.0 


Company:  Lockdown  Networks, 
www.lockdownnetworks.com.  Cost: 
$22,000  for  1,024  IP  addresses  and 
$178,000  for  10,048  IP  addresses.  Pros: 
Excellent  GUI;  intuitive  workflow.  Con: 
Scans  very  intrusive. 


VAM  4.0 

3.61 

Lightning  2.5,  Nessus 
2.0.12,  and  NeVo  2.0 

TraceAudit 

2.74 

PredatorWatch 

Auditor  128  2.2 

Company:  StillSecure,  www.stillsecure. 
com.  Cost:  $12,500  for  1,024  IP  addresses 
and  $45,000  for  10,048  nodes.  Pro:  Robust 
ticketing  system.  Con:  GUI  difficult  to 
use. 


Company:  Tenable  Network  Security, 
www.tenablesecurity.com  Cost:  $27,600 
for  1,000  nodes  and  $100,800  for  10,000 
nodes;  $12,000  for  NeVo  per  installation. 
Pros:  Passive  scanning  product;  unique 
Nessus  technology.  Con:  No  trending 
information. 


Company:  TraceSecurity,  www. 
tracesecurity.com.  Cost:  $15,000  for  1,000 
nodes;  $39,000  for  Class  B  network 
(approximately  65,000  nodes).  Pro:  Installs 
with  hardened  operating  system.  Cons: 
Poor  user  interface;  scan  data  not 
encrypted  on  remote  server. 


Company:  PredatorWatch,  www. 
predatorwatch.com.  Cost:  $16,000  for 
1,000  nodes  and  $28,000  for  10,000  nodes. 
Pros:  Offers  regulatory  compliance 
reports.  Cons:  GUI  very  slow  to  respond; 
minimal  scan  reporting  options. 


The  breakdown 

Scan  assessment 
(50%  of  overall  score) 


Discovery  12.5% 


Accuracy  12.5% 


Scan  ease  of  use12.5% 


Scan  reporting  features  7.5% 
Impact  5% 


Management  assessment 
(50%  of  overall  score) 


Remediation  features  12.5% 


Management  reporting  tools  12.5% 


Business  analysis  features  12.5% 


Documentation/ease  of  use  12.5% 

TOTAL  SCORE 


Qualys 


2.5 


4.5 


3.5 


4.5 

5 


4.36 


nCircle 


2.5 


4.5 


4.25 


Visionael 


3.5 


2.5 


4.5 


2.5 


4.11 


Lockdown 


3.5 


2.5 


1.5 


4.5 


4.06 


StillSecure 


4.5 


2.5 


Tenable 


2.5 


3.5 


3.61 


1.5 


4.5 


3.36 


Tracesecurity 


2.5 


2.74 


PredatorWatch 


2.54 


///  Scoring  Key:  5;  Exceptional;  4:  Very  good;  3:  Average;  2:  Below  average;  1:  Consistently  subpar 
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Imagine  if  McAfee  could  protect  you  from  other  threats  the  way  it  protects  you  from  security  threats 


You  never  know  when  security  threats  will  hit.  But  with  McAfee'  intrusion  prevention  technology,  you'll  always  be  ready.  Our  proactive  solutions  provide  real-time 
protection,  so  you're  free  to  focus  on  managing  your  business,  instead  of  constantly  reacting  to  worms,  viruses,  and  hackers.  Even  better,  when  you  choose  McAfee, 
you're  protected  by  the  same  technology  that  leading  Global  2000  companies  rely  on.  Discover  next-generation  security  today  at  proactive.mcafee.com 


trademark  of  McAfee.  Inc.  and/or  its  affiliates  in  the  US  and/or  other  countries.  The  color  red  in  connection  with  security  is  distinctive  of. McAfee  brand  products.  All  other  registered  and  unregistered  trademarks 
•perty  of  their  respective  owners.  ©  2004  Networks  Associates  Technology.  Inc.  All. rights  reserved.  ,  *  '  '  '  ,  ‘ 
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I  Citadel  focuses  on  vulnerability  remediation 

■  ■  M  hile  vulnerability  assessment  products  are  moving  solidly  in  the  direction  of 
■Hb  vulnerability  management,  Citadel  Security  Software  takes  that  shift  one 
■  W  step  further  with  its  focus  on  automatic  remediation. 

Citadel's  Hercules  is  an  automated  vulnerability  remediation  tool  that  pulls 
results  from  vulnerability  assessment  scanners,  applies  its  own  detailed  knowl- 
H  edge  on  remediation  procedures  across  a  variety  of  platforms,  and  then  either 
H  recommends  remediation  steps  or  makes  them  happen. 

The  main  focus  of  the  product  is  to  run  remediation  tasks,  which  could  be 
H;  changing  file  permissions,  changing  a  password,  setting  an  operating  system  con- 
H  figuration  option  or  installing  a  patch.  Administrators  also  can  script  their  own 
I  fixes  if  they  desire,  and  full  rollback  options  are  available. 

Agents  are  installed  on  target  systems  that  listen  for  information  from  a  Citadel 
central  server  on  how  to  handle  remediation  tasks.  Remediation  scripts  also  run- 
A  ning  on  the  target  systems  are  responsible  for  fixing  identified  vulnerabilities. 

You  can  use  Hercules  without  agents,  relying  on  Secure  Shell,  Windows  Services  or 
HTTP/Secure-HTTP  for  communications  to  the  system  from  the  central  server. 

Citadel  also  helps  you  use  its  remediation  tool  to  further  policy  compliance.  You 
can  use  Hercules  to  define  policy  groups,  When  scan  results  are  imported, 
Hercules  automatically  pushes  out  fixes  to  machines  that  don't  follow  group  policy 
if  that  is  how  the  administrator  has  set  up  the  script, 

While  auto-remediation  sounds  great,  system  administrators  are  wary.  The 
remediation  is  based  on  the  vulnerability  assessment  results,  so  you  need  to 
ensure  those  results  are  accurate  for  auto-remediation  to  be  successful. 

—  Mandy  Andress 
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to  the  same  degree  as  most  competitors. 

Scan  reporting  is  strong,  providing  a  sum¬ 
mary'  of  identified  vulnerabilities.  We  liked 
the  job  queue  functionality  which  shows 
the  percent  completion  of  each  system 
being  analyzed  in  the  current  scan. 

In  terms  of  management,  Lockdown’s 
user  interface  is  the  best  of  the  products 
tested,  combining  graphics  and  a  workflow 
very  effectively  While  it  does  not  contain  a 
specific  portal,  the  initial  logon  window 
defaults  to  the  report  section. This  provides 
an  online  version  of  the  Executive  Sum¬ 
mary  which  contains  an  overview  of  scan 
results  and  trending  information. 

For  business  impact  analysis,  the  system 
provides  a  rating  number  based  on  scan 
results.You  can  assign  critical  values  to  spe¬ 
cific  systems,  which  then  will  be  weighted 
more  heavily  when  calculating  the  overall 
rating. 

Lockdown’s  vulnerability  notification 
capability  was  excellent  and  lets  adminis¬ 
trators  define  policies  that  trigger  alerts.You 
can  configure  a  policy  that  sends  a  page  or 
SNMP  trap  and  opens  a  ticket  if  a  specific 
port  was  opened  on  a  system. 

Other  unique  lockdown  features  are  the 
ability  to  encrypt  e-mail  that  has  account 
information  using  gpg  and  the  ability  to 
authenticate  users  against  a  corporate 
Lightweight  Directory  Access  Protocol 
directory 

For  remediation,  it  provides  an  excellent 
breakdown  of  problem,  solution  and  reso¬ 
lution  for  identified  vulnerabilities,  includ¬ 
ing  Common  Vulnerabilities  and  Exposures 
numbers  and  links  to  related  security  advi¬ 
sories  or  remediation  steps. 

StillSecure  VAM  4.0 

StillSecure’s  VAM  was  a  solid  performer  in 
both  scanning  and  management.  Setting 
up  VAM  on  the  vendor-supplied  server  was 
simple.  The  software  automatically 
installed  on  the  system  from  a  CD  when  it 
booted  up. 

StillSecure’s  user  interface  is  not  intuitive 
and  is  difficult  to  navigate.  The  screen  is 
often  cluttered,  making  it  difficult  to  identify 
specific  information  or  tasks. 

However, StillSecure  performed  fairly  well 
in  scan  tests.  In  terms  of  operating  system 
identification,  it  only  missed  a  few  of  the 
network  devices, such  as  the  NetScreen-100 
and  the  Cisco  VPN  Concentrator.  It  incor¬ 
rectly  identified  the  wireless  access  point 
as  an  ATM  switch. 

It  performed  well  on  scan  impact  analy¬ 
sis,  providing  no  noticeable  issues. 

The  scan  report  provides  a  generic  list  of 
vulnerability  titles  that  you  can  drill  down 
into  for  more  details,  although  report  navi¬ 
gation  is  a  bit  cumbersome. 

VAM  includes  a  robust  ticketing  system 
for  tracking  vulnerabilities,  but  it  doesn’t 
provide  any  business  impact  analysis  func¬ 
tionality. 

Reporting  functionality  in  StillSecure  is 
functional  and  offers  some  trending  and 
executive  report  facilities. But  it  doesn’t  pro¬ 


vide  all  the  flexibility  in  other  products. 

Tenable  Lightning  2.5,  NeVo  2.0  and 
Nessus  2.0 

The  primary  author  of  Nessus  founded 
Tenable,  so  it’s  no  surprise  that  Tenable’s 
suite  of  products  taps  deeply  into  the  Nes¬ 
sus  base  code  to  yield  some  unique  fea¬ 
tures,  such  as  Unix  authentication  for  local 
vulnerability  checks. 

In  addition  to  the  Nessus  active  scanning 
engine,  Tenable’s  Lightning  product  is  the 
management  console,  and  its  NeVo  prod¬ 
uct  is  the  passive  vulnerability  scanner. 

The  Lightning/Nessus  combination  pro¬ 
vides  a  very  robust  vulnerability  search 
mechanism  with  the  ability  to  search  data¬ 
bases  of  identified  vulnerabilities  on  al¬ 
most  any  criteria.  However,  it  doesn’t  in¬ 
clude  any  mechanisms  to  control  trouble 
ticketing  or  remediation  functions  or  offer 
any  business  impact  analysis. 

In  scanning  tests, Tenable  performed  fairly 
well.  In  terms  of  operating  system  identifi¬ 
cation,  it  missed  some  of  the  network 
devices  but  performed  the  best  of  the 
Nessus-based  products  on  scan  accuracy 
The  overall  scan  impact  was  minimal. 

The  reporting  module  inside  the  console 
automatically  generates  a  few  reports, such 
as  30-,  60-  and  90-day  vulnerability  details. 
You  also  can  create  custom  reports  from  a 
selection  of  filter  criteria. 

One  area  that  could  be  improved  is  in  its 
vulnerability  plug-in  descriptions,  which  is 
what  Nessus  uses  for  its  vulnerability 
checks.  When  trying  to  view  the  checks 
Nessus  scans  run,  the  drop-down  box  of  sig¬ 
natures  lists  them  by  a  nondescript  ID, such 
as  “CSCdp58462.”  These  aren’t  very  useful 
when  trying  to  figure  out  what  check  is 
being  performed. 

Overall, Tenable  has  a  very  strong  founda¬ 


tion,  and  we  would  like  its  vulnerability 
management  functionality  improved. 

TraceSecurity’s  TraceAudit 

TraceAudit  is  delivered  as  a  service  but 
also  includes  an  ISO  —  a  file  that  contains 
a  complete  image  of  a  disk  —  and  a  hard¬ 
ened  version  of  Red  Hat  that  installs  on  a 
network  system  and  provides  TraceSecurity 
access  to  internal  systems  for  scanning. 

The  results  of  your  scans  are  sent  over  an 
encrypted  channel  to  TraceSecurity’s 
servers,  with  the  results  available  from  the 
Web-based  management  interface.  The 
scan  results  are  not  encrypted  when  stored 
on  TraceSecurity’s  servers,  though. 

Reports  or  general  scan  results  do  not 
include  operating  system  information. 
Accuracy  of  scan  results  was  in  line  with 
the  rest  of  the  products. 

Scan  impact  was  fairly  low  on  the  net¬ 
work,  but  it  did  cause  a  core  dump  on  the 
HP  print  server. 

The  user  interface  is  not  intuitive  from  the 
start,  but  it  becomes  more  usable  once  you 
understand  the  workflow.  One  oddity  after 
the  initial  scan  was  that  you  couldn’t  view 
the  results  until  you  associate  the  systems 
to  a  group.  If  you  launch  a  scan,  the  results 
should  be  automatically  viewable  through 
a  default  group  or  similar  architecture. 

TraceAudit  doesn’t  have  a  formal  ticket¬ 
ing  system,  but  the  company  recommends 
customers  use  the  system  grouping  func¬ 
tionality  to  manage  vulnerabilities.  While 
this  might  work  for  some  organizations,  it 
doesn’t  provide  the  full  accountability  and 
tracking  we  prefer  in  an  enterprise  vulnera¬ 
bility  management  product.  It  also  doesn’t 
include  an  overview  portal/summary  for 
reporting  or  the  ability  to  filter  out  SANS  20 
results.  This  product  also  doesn’t  offer  any 
business  impact  analysis. 


PredatorWatch  Auditor  128  2.2 

Predator  Watch  was  a  bit  above  average 
in  its  scanning  features  but  really  needs  to 
bulk  up  its  management  capabilities  to 
compete  with  this  lot. 

PredatorWatch  runs  on  a  small,  square 
appliance  that  easily  could  fit  on  a 
desk.  The  software  is  available  on  a  1U 
appliance. 

In  our  scanning  tests,  PredatorWatch  was 
on  par  with  several  other  products  in  that  it 
missed  some  network  devices  and  didn’t 
differentiate  between  some  versions  of 
Windows.  Scans  locked  up  the  wireless  ac¬ 
cess  point. 

One  function  we  couldn’t  get  to  work  was 
launching  an  immediate  scan.  We  would 
select  a  scan  to  start,  but  it  never  began. 
Scans  would  start  fine  when  scheduled. 

The  management  GUI  is  slow  and  unre¬ 
sponsive.  We  had  requests  processing  for  30 
seconds  or  more  before  the  page  hit  the 
screen. The  GUI  is  also  difficult  to  navigate 
and  not  intuitive. 

PredatorWatch  doesn’t  provide  a  ticket¬ 
ing  system,  business  impact  analysis  and 
user  management  functionality  It  also  only 
provides  three  reports  —  executive,  man¬ 
agement  and  administration  —  for  each 
scan  results  set.  Limited  trending  informa¬ 
tion  is  included  from  the  previous  scan,  but 
we  would  like  to  see  more  custom  report 
options  and  trending  information. 

PredatorWatch  offers  a  unique  feature 
with  its  compliance  reports.  Based  on  iden¬ 
tified  vulnerabilities, administrators  can  run 
reports  to  help  identify  weaknesses  in 
Sarbanes-Oxley  Health  Insurance  Portabil¬ 
ity  and  Accountability  Act  and  ISO  17799 
compliance. 

Conclusion 

It’s  good  news  that  vulnerability  assess¬ 
ment  tools  are  embracing  vulnerability 
management  functionality.  Ticketing  sys¬ 
tems,  business  impact  analysis,  console 
dashboards  and  custom  reporting  options 
quickly  are  becoming  standard  features. 

However,  the  number  of  false  positive 
and  false  negative  scan  results  still  points 
out  that  vendors  need  to  continue  to 
refine  their  scanning  engines.  Users  will 
benefit  from  strong  management  tools 
only  if  vendors  make  sure  the  vulnerabili¬ 
ties  bubbling  up  to  the  management  tools 
are  complete,  accurate  and  do  not  affect 
target  system  functionality. 

Andress  is  president  of  ArcSec  Technol¬ 
ogies ,  a  security  company  focusing  on 
product  reviews  and  analysis.  She  can  be 
reached  at  mandy@arcsec.com. 
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ke  a  Piece,  of  C^ke. " 


»  The  next  viral  intruder  lurks  ...  somewhere.  But  a  Juniper  network  is  already 
built  to  withstand  the  attack.  Juniper  Networks  delivers  the  industry’s  most 
secure  and  sophisticated  solutions— making  your  network  impenetrable 
without  sacrificing  speed  or  reliability.  Juniper  your  net. 


Don't  miss  Defending  in  Depth,  a  seminar  series  featuring  a  key  note  address  from  Gartner  security 
experts.  For  more  information  visit  www.juniper.net/nwevent.  Seminar  dates: 

11/09/04:  Chicago,  IL  •  11/11/04:  Boston,  MA 
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■  PerfectDisk  ^ 
Version  7.0 
Now  Available! 
The  Best  Defragger 
Just  Got 


When  Gibson  Guitar  Corp.  selected 
PerfectDisk®  as  their  official  defragmentation  5  1 

software,  it  was  music  to  our  ears.  After  all,  Gibson 
guitars  are  synonymous  with  artistry,  innovation  and 
quality.  Gibson  instruments  are  held  in  unparalleled 
esteem  by  the  world's  top  musicians  and  coveted  by 
music  lovers  everywhere. 

And  while  Gibson  is  known  for  its  classic  styling 
and  meticulous  craftsmanship,  the  company  is  also 
one  digitally-savvy,  big  daddy  of  technological 
sophistication.  That's  why  Gibson  counts  on 
PerfectDisk  to  keep  every  disk  in  their  enterprise 
perfectly  tuned  and  ready  to  roll. 

It's  not  surprising  that  a  future-focused  company 
built  on  legendary  quality  would  demand  the  world's 
fastest  and  most  powerful  defragger.  You  see, 


Better! 


PerfectDisk  is  the  only  defragmenter 
certified  by  Microsoft®  for  Windows® 

'  TM 

2000  and  Windows  Server  2003,  and  fully 
integrated  with  Microsoft's  Active  Directory®. 
What's  more,  unlike  those  other  defraggers, 
PerfectDisk  runs  on  all  server  versions  of  Windows, 
even  on  multi-terabyte  drives,  without  charging  you 
a  premium.  PerfectDisk  defragments  your  disk  and 
consolidates  free  space,  all  in  a  single  harmonious 
pass.  Rock  on. 

Keep  your  disks  in  perfect  tune.  Trust  the 
proven  solution  from  the  leaders  in  performance 
software  for  over  25  years...  Raxco  Software.  See 
for  yourself,  download  a  free  demo  copy  today  at 
www.perfectdisk.com/rockon/nww. 

www.perfectdisk.com/rockon/nww 


1  A  X  C  0 

software 
Perfect  Software  for  an  Imperfect  World 


1-800-546-9728 

www.raxco.com 
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GOLD  CERTIFIED 

m 

Partner 
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■  CAREER  DEVELOPMENT 

■  PROJECT  MANAGEMENT 

■  BUSINESS  JUSTIFICATION 


Maximizing  your  assets 

Management  software  helps  firms  get  a  grasp  of  their  IT  resources  and  use  them  more  efficiently, 


■  BY  LINDA  LEUNG 

In  the  late  1990s,  Fidelity  Investments  operated  its  quickly  growing  network  like  an  all-you- 
can-eat  buffet,  charging  business  units  according  to  their  head  count.“It  wasn’t  a  fair  way 
to  amortize  the  cost  to  the  user,  and  many  units  were  subsidizing  others,”  says  Bobby  Lie, 
vice  president  of  enterprise  architecture  at  the  financial  services  firm  in  Boston. 


Fidelity  decided  to  charge  departments  based  on  the 
amount  of  IT  resources  they  use  and  brought  in  the  help  of 
Evident  Software.  Evident  helps  Fidelity  track  its  top-100 
talkers  —  the  most-used  applications  —  by  capturing  traf¬ 
fic  between  IP  devices.  Monthly  reports  published  on 
Fidelity’s  intranet  details  which  application  servers  con¬ 
sume  the  most  resources.This  helps  businesses  understand 
that  the  more  resources  their  applications  use,  the  more 
their  IT  cost  increases. 

Organizations  are  turning  to  management  software  to 
bring  visibility  to  IT  and  save  money  Tools  such  as  asset 
management  (for  tracking  hardware,  software  and  some¬ 
times  projects)  and  portfolio  management  (for  tracking 
projects  and  IT  personnel)  help  companies  get  a  grasp  of 
their  IT  resources  to  improve  efficiency 

One  surprising  benefit  Fidelity  realized  is  the  IT  group’s 
newfound  relationship  with  the  business  units.  “Once,  we 
couldn’t  get  the  business  managers’  attention  —  now 
they’re  interested  in  working  with  us  to  optimize  applica¬ 
tions  to  minimize  consumption  and  to  better  manage 
growth,”  Lie  says. 

Fidelity  also  has  identified  and  removed  unnecessary 
software  and  reconfigured  other  software  to  run  more  effi¬ 
ciently  These  improvements  have  obviated  the  need  to  buy 
more  bandwidth  to  solve  network  performance  problems, 
which  helped  to  save  more  than  $90  million  since  imple¬ 
menting  the  software  in  1999. 

Health  insurance  provider  The  Regence  Group  intro¬ 
duced  Computer  Associates’  Argis  Portfolio  Asset  Manage¬ 
ment  software  to  help  rein  in  IT  resources  scattered  across 
38  offices  in  Oregon,  Washington,  Idaho  and  Utah.  By 
putting  information  about  its  40,000  asset  pieces 
into  the  system  and  mapping  that  to  business 
goals,  Regence  can  better  identify  where  to 
assign  budgets  and  to  discover  which 
machines  hold  private  health  data  in  order 
to  meet  healthcare  industry  regulations. 

Last  year,  the  Portland,  Ore.,  company 
saved  $8  million,  largely  by  recovering  over¬ 
charges  from  some  IT  vendors.  Regence 
noticed  that  some  of  its  invoices  didn’t 
include  discounts  that  it  had  negotiated 
with  various  suppliers.The  company  would 
have  just  paid  the  overcharges  —  as  it 
always  had  done  —  if  it  had  not  spent  time 
uploading  into  Argis  contract  details  for  its 


software, hardware  and  contract  personnel.  ^  * 

Like  Fidelity  Regence  also  uses  asset  management  for 
charge-back  purposes.  Argis  lets  Regence  match  items  on 
cell  phone  bills  to  business 
units  in  20  minutes. 

Previously,  it  would  take 
one  person  up  to  three 
days  to  manually  do  this  for 
each  bill. 

Regence  began  installing 
Argis  in  March  and  has  up¬ 
loaded  information  related 
to  between  1%  and  2%  of  its 
IT  portfolio  into  the  system. 

Through  recovery  of  more 
overcharges  and  negotia¬ 
tions  of  better  contract 
terms,  the  firm  anticipates  a 
further  $2  million  in  savings 
this  year,  says  Tony  Dorn- 
busch,  manager  of  asset 
management  at  Regence’s 
IT  Services  division. 

Sometimes,  companies 
don’t  realize  they  need  to 
make  IT  more  visible  until  a 
straightforward  project 
turns  into  an  ordeal.  Martin 
County  in  Florida  two  years  ago  wanted  to  overhaul  its  856 
desktop  systems  spread  across  133  facilities.“Our  asset  infor¬ 
mation  was  in  spreadsheets,  binders,  people’s  heads, 
backs  of  napkins.  It  became  an  arduous  task  eval¬ 
uating  the  financial  impact  of  changing  desk¬ 
tops.  Where  were  the  systems  located,  in  which 
building,  what  was  the  travel  time?  It  was 
nothing  to  do  with  technology  —  it  had  to  do 
with  asset  management,”  says  Kevin  Kryzda, 
CIO  of  Martin  County  It  took  seven  months  for 
the  organization  to  collect  the  information 
and  decide  whether  to  switch  platforms. 

Swearing  never  to  experience  that  pain 
again,  Martin  County  this  summer  began 
deploying  asset  management  tools  from  ITM 
Software.  In  addition  to  using  the  software  to 
help  it  get  a  grip  on  its  IT  assets,  Martin 
County  links  the  software  with  its  financial 


and  procurement  software  to  track  whether  projects  are  on 
schedule  and  whether  they  meet  their  objectives. 

“Business  managers  can  understand  how  their  project 
competes  against  others  and  how  much  funding  they  will 
get  based  on  this  information,” Kryzda  says.“Before,  [budget 
allocation]  was  done  by  Ouija  board.  Now  managers  can 
understand  why  funding  went  to  another  unit, so  they  don’t 
walk  away  from  the  meeting  kicking  pebbles.” 

MasterCard’s  St.  Louis  Global  Technology  and  Operations 
(CTO)  center,  which  manages  all  of  the  transactions  made 
worldwide  using  MasterCard’s  products,  uses  Compuware’s 
Changepoint  portfolio  management  software  to  track  busi¬ 


ness-project  milestones  and  record  CTO  staff  time  spent  on 
projects  and  on  day-to-day  systems  maintenance. 

Changepoint  was  introduced  into  MasterCard  in  the  third 
quarter  of  2003  and  became  fully  operational  this  July 
MasterCard  had  anticipated  cost  savings  of  $3.1  million 
over  five  years.  It  now  has  revised  this  forecast  to  a  two-year 
payback,  says  Jim  Whalen,  senior  vice  president  of 
MasterCard  GTO. 

MasterCard  has  four  categories  of  projects:  applications 
that  “keep  the  lights  on,”  that  help  generate  revenue  or 
reduce  cost,  and  strategic  improvements.  Projects  worth 
more  than  $50,000  are  scored  in  five  areas, such  as  cost  and 
technical  feasibility  With  Changepoint,  MasterCard  allocates 
budgets  and  resources  to  projects  that  need  them  the  most. 

“Portfolio  management  helps  us  make  sure  we  are 
aligned  with  corporate  strategy  There  is  a  single  source  of 
data  for  projects,  and  it  provides  a  standardized  way  of 
managing  projects,” Whalen  says.  ■ 


More  online! 

Fusion  exclusive:  How  The  Regence 
Group  got  boardroom  buy-in  for  an 
asset  management  tool. 

DocFinder:  4525 
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How  much  can  your  network  analyzer  see? 

Observer  is  the  only  fully  distributed  network  analyzer  built  to 
monitor  the  entire  network  (LAN,  802.1  la/b/g,  Gigabit,  WAN). 
Download  your  free  Observer  10  evaluation  today  and  experience 
more  comprehensive  real-time  statistics,  more  expert  events,  and 
more  in-depth  analysis  letting  you  dive  deeper  into  your  network 
than  ever  before.  Choose  Observer. 

-DRflGER-  Guard  against  the  latest  network  threats  by  identifying 
and  isolating  infected  systems  automatically. 


-  BRTR  Mini  RG-  Analyze  gigabit  traffic  and  massive  amounts 
of  data  with  Observer's  expanded  options  for  data  mining. 


-JlinK  TRAFFIC-  Identify  broadcast  storms,  monitor  excessive 
traffic,  and  optimize  bandwidth  with  Observer's  many  utilization 
metrics  and  over  30  real-time  statistics. 


US  &  Canada  toll  free  800.526.5958 
fax  952.932.9545 


UK  &  Europe  +44(0)  1959569880 


www.networkinstruments.com/analyze 


A  KVM  switch  allows  single  or  multiple 
workstations  to  have  local  or  remote  access  to 


SERVERS  WITHIN  YOUR  REACH 


KVM  RACK  DRAWER  WlTH  KVM  SWITCH  OPTION 


Staqcliff  Road 
>0,.  Texas  77099 


|ji||;€L>ROPE 
RtJSfe  AUSTRALIA 


+281  933  7673 
+44  (0)  1264  850574 
+65  6324  2322 
+6173388  1540 


UltraMatrix  Remote 

REMOTE  MULTIPLE  USER 
KVM  MATRIX  SWITCH 
ACCESS  OVER  IP  OR  LOCALLY 


UltraConsole 

PROFESSIONAL  SINGLE-USER 
KVM  SWITCH  SUPPORTS  UP 
TO  1000  COMPUTERS 


FROiV?  ANYWHERE 


multiple  computers  located  in  server  rooms  or 
on  the  desktop  regardless  of  their  platforms 
and  operating  systems.  KVM  switches  have 
traditionally  provided  cost  savings  in  reducing 
energy  and  equipment  costs  while  freeing  up 
valuable  real  estate. 


Recognized  as  the  pioneer  of  KVM  switch 
technology,  Rose  Electronics  offers  the 
industry's  most  comprehensive  range  of 
server  management  products  such  as  KVM 
switches,  extenders  and  remote  access 
solutions.  Rose  Electronics  products  are 
known  for  their  quality,  scalability,  ease  of  use 
and  innovative  technology.  \  ' 

.  . 

Ros£  Electronics  is  privately  held  with  world- 
headquarters  in  Houston,  Texas  and  sells  its 
products  worldwide  through  a  large  network  of 
Resellers  and  Distributors.  Rose  has 
operations  in  the  United  Kingdom,  Spain, 
Germany,  Benelux,  Singapore  and  Australia. 


•  Connects  1,000  computers  to  multiple  user  stations 
over  IP  or  locally 

•  High  quality  video  up  to  1280  x  1024 

•  Scaling,  scrolling,  and  auto-size  features 

•  Secure  encrypted  operation  with  login  and  computer 
access  control 

•  Advanced  visual  interface  (AVI) 

•  No  need  to  power  down  servers  to  install 

•  Free  lifetime  upgrade  of  firmware 

•  Available  in  several  models 

•  Easy  to  expand 

800  333  9343 

WWW.ROSE.COM 


Connects  up  to  1000  computers  to  a  KVM  station 
Models  for  4,  8,16  computers 
Advanced  visual  interface  (AVI) 

Compatible  with  Windows,  Linux,  Solaris,  and  other  O/S 
Connects  to  PS/2,  Sun,  USB,  or  serial  devices 
Converts  RS232  serial  to  VGA  and  PS/2  keyboard 
Free  lifetime  upgrade  of  firmware 
Security  features  prevent  unauthorized  access 
Full  emulation  of  keyboard  and  mouse  functions  for  automatic, 
simultaneous  booting 
Easy  to  expand 


ELECTRONICS 


Cyclades  AlterPath™  KVM/net 
offers  a  unique  set  of  features: 

■  Server-based  authentication 

(NT  domain,  LDAP,  Secure  ID,  RADIUS,  TACACS+) 

■  16  and  32  port  models 

■  CAT5  cabling  up  to  500  feet 

■  User  access  logging 

■  System  event  syslog 

■  Integrated  power  management 


Over  80%  of  Fortune  100 
choose  Cyclades. 
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Eniov  the  maqic 


Secure  KVM  over  IP  switch 


Web -based  access 


We've  worked  our  magic. 
Now  you  can  work  yours. 


www.cyclades.com/nw 

1  >888.cyclades  ■  sales@cyclades.com 


cyclades 
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Sentry  Gives  You  Secure  Web/I P  Based  Remote  Site  Management 


"NEW!"  Secure  Shell  (SSHv2)  Encryption  < 
"NEW!"  SSLv3  Secure  Web  Browser  < 
"NEW!"  Active  Directory  with  LDAP  < 
SNMP  MIB  &  Traps  < 
Integrated  Secure  Modem  < 
True  RMS  Power  Monitoring  < 
Outlet  Receptacle  Grouping  for  Dual-Power  Servers  < 
Fail-Safe  Transfer  Switch  for  Single-Power  Supply  Servers  < 
Power-up  Sequencing  Prevents  Power  In-rush  Overload  < 
Temperature  &  Humidity  Environmental  Monitoring  < 
Zero  U  &  Rack-mount  Models  < 
110/208  VAC  Models  with  30-Amp  Power  Distribution  < 
NEBS  Approved  -48  VDC  Models  Available  < 


Server  Technology 

Solutions  for  the  Data  Center  Equipment  Cabinet 


When  servers  and  network  devices 
in  the  data  center  lock-up,  network 
managers  need  fast,  secure  and 
reliable  tools  to  respond.  With 
Sentry™  Remote  Site  Managers, 
an  administrator  can  immediately 
reboot  a  remote  system  with  just 
a  few  mouse  clicks.  Sentry  also 
provides  accurate  input  current 
power  monitoring,  environmental 
monitoring  and  integrated  secure 
console  management  using  SSH. 

Server  Technology,  Inc* 

Server  Technology,  Inc.  toll  free  +1.800.835.1515 

1 040  Sandhill  Drive  tel  +1 .775.284.2000 

Reno,  NV  89521  fax  +1 .775.284.2065 

USA  „  . 

www.servertech.com 

sales@servertech.com 

©Server  Technology,  Inc.  Sentry  is  a  trademark  of  Server  Technology,  Inc. 


Terminal  server  vendors,  who  proclaim  that 
they  have  Secore  Oot  Of  Band  products,  rely 
on  RADIUS,  TACACS+  and  other  in-band 
protocols  to  provide  security.  By  inference, 
they  imply  they  secure  out  of  band  access 
when,  in  fact,  they  otter  only  network  security, 
which  conflicts  with  out  of  band  access. 


C9I  offers: 

1  •  Hardware  encryption  over  dial-up 
and  network  connections 

•  RSA  certified  SecurlD  authentication 
without  a  network. 

•  Patented  central  management  of  all 
remote  devices 


Full  NIST,  FIPS  140-2  certifications  •-r 

Remote  Power  control  •~r 

Homologous  world-wide  approved  •-r 
internal  modems 


CD I  has  been  building  encryption  equipment  for  over  fifteen  years.  Our  customers  and  partners  include 
major  financial  institutions,  government  agencies,  major  telcos,  utilities,  and  the  United  States  military. 


Communication  Devices  Inc. 

.. J  www.outofbandmanagement.com 
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Embedded 
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Interface 
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Internal  Voice, 
Modem 
(at  Pager  Port 


8  RJ-45  Sensor  Inputs 

(Temperature,  Humidity, 
Water,  Motion,  Power, 
Smoke/Fire) 


Microphone 

for  Sound 
Monitoring 


BE  NOTIFIED  BEFORE  CRITICAL  EVENTS  TURN  INTO  DISASTER! 


•  Eight  environment  inputs 

•  Power  sensing 

•  Monitors  64  IP  addresses 

•  Send  alerts  to  64  people 

•  8  methods  of  contact 

•  Calendar  scheduling 

•  Expands  to  256  sensors 

•  Remote  power  control 

•  Optional  camera 


The  Sensaphone  IMS-4000  Infrastructure 
Monitoring  System  monitors  critical  environ¬ 
mental  and  network  elements  in  your  server 
room,  data  center,  or  telecomm  installation  and 
reports  to  you  instantly  when  events  threaten 
your  infrastructure.  The  IMS-4000  keeps  watch 
so  you  don't  have  to.  See  these  features  and 
more  on  the  web  at  www.ims-4000.com 


There  May  Be  a  Hole 
in  Your  Data  Center's  Security, 


Raritan's  Dominion™  KX.  Better  KVM  Over  IP. 


Holes  in  Swiss  cheese  mean  the  cheese  is  ripe.  Holes  in  security  mean  you're  the  one  who's  ripe  -  for  problems.  Unlike  some  other  KVM 
providers,  Raritan  encrypts  all  KVM  traffic  -  keyboard,  mouse,  AND  video  with  128-bit  RC4  encryption,  providing  you  with  the  most  secure 
solution  on  the  market.  With  Dominion  KX,  you  can  access,  diagnose  and  monitor  even  the  worst  server  problems  anywhere  in  the  world 
without  security  worries.  But  that's  not  the  only  reason  to  consider  our  newest  Dominion  product.  It's  a  plug-and-play  appliance;  it's  incredibly 
scalable;  it  works  even  when  your  network  is  down.  And  it  carries  Raritan's  19-year  heritage  of  Data  Center  innovation.  Which  means  you  get 
the  most  dependable  KVM  over  IP  solution,  instead  of  smelling  like  bleu  cheese. 


Test-drive  the  industry's  most  secure  KVM  over  IP  technology  and  get  your  copy  of  a  free  White  Paper: 
"Understanding  the  Security  Implications  of  Deploying  KVM  Over  IP" 

Call  1-800-724-8090  x1428  or  visit  us  at  Raritan.com/1428 
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Command 

Center 


The  KX  Digital  KVM  Switch 
is  a  core  building  block  of 
Raritan's  Complete  Data  Center 
Management  Solution. 


Dominion 

Series 


Paragon  II 


IP-Reach 


©  2004  Raritan  Computer,  Inc.  Raritan,  Paragon,  IP-Reach,  Dominion  and 

CommandCenter  are  trademarks  or  registered  trademarks  of  Raritan  Computer,  Inc. 


When  you're  ready  to  take  contfl 


YOU  WANT  COMPLETE  VISIBILITY. 


MAKE  IT  HAPPEN 


Remote  Monitoring  Solutions 

RMON  and  HCRMON  Probes 

You  want  remote  monitoring  solutions  for  visibility  into  every  part  of  your  network.  With 
RMON  and  HCRMON  Probes  from  Network  Instruments,  it’s  easy.  Convert  any  PC  into  a 
complete  remote  network  monitoring  data  collection  device.  Use  the  RMON  appliance 
(available  in  1U  and  4U  systems)  for  a  full  turn-key  solution.  Call  800-526-7919  for  more 
information  or  visit  our  website  at  www.networkinstruments.com/RMON. 


One  Network  ^  Complete  Control 

Wired  to  Wireless  •  LAN  to  WAN 


Full  compliance  with  RM0N1 ,  RM0N2  and  HCRMON 
High  capacity  RMON  Probes  provide  full-duplex  Gigabit 
capture  compatible  with  any  RMON  management  console  or 
collection  facility  (Observer®,  OpenView,  Concord®, 
NetScouP,  Micromuse™) 

Complete,  industry  standard,  software-based  probes  for 
Windows  2000/XP 

Software  based,  non-dedicated  data  collection 
Compatible  with  Network  Instruments’  optimized  ErrorTrak™ 
NOIS  drivers,  which  display  true  errors-by-station. 
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V  VERILINK' 


WORLDWIDE  PROVIDER 
OF  NETWORK 
HARDWARE 
SINCE  1981! 


letWork  Hardware 


•  Memory 


sales@wrca.net 
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MERGING  MARKETS 


www.nwfusion.com 


Bsirel  Power  on  Any  AC 

Powered  Device ... 

Via  Web  Browser,  Telnet, 

Modem  or  Local  Terminal 

Servers,  routers,  and  other  electronic  equipment 
occasionally  “lock-up”,  often  requiring  a  service  call 
to  a  remote  site  just  to  flip  the  power  switch  to  perform 
a  simple  reboot.  With  WTI’s  Remote  Power  Switches, 
you  can  perform  reboot  and  On/Off  control  from 
anywhere! 
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Want  an  On-Line  Demo? 

Just  call  or  email  and  you’ll  see  for  yourself  why  so  many 
network  professionals  choose  WTI. 


Web  Browser  Access  for  Easy  Setup  and 
Operation 

Encrypted  Password  Security 

Dual  15  Amp  Power  Circuits 
Total  30  Amps  Maximum  Load 

115  VAC  and  230  VAC  Models 
Sixteen  (16)  Individual  Outlets 
RS232  Modem  /  Console  Port 
Network  Security  Features 
Power-Up  Sequencing 

Also  Available  in  4,  8  &  16  Plug  Models  and 
Horizontal  1U  and  2U  Models 

Web  Browser  Interface 


Yes,  We  are  Customer  Friendly! 

/  Two  Year  Warranty 
•/  We  Stock  for  Same  Day  Shipment 
»/  30  Day  No-Fee  Return  Policy 
</  Start-up  Cables  and  Rack  Kits  Included 


Dual  / 
Power  ^ 
Inputs 
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1600 


www.wti.com 


western  telematic  incorporated 

5  Sterling  •  Irvine  •  California  •  92618-2517  •  (800)  854-7226 


NETWORK 


US  &  Canada:  (952)  932-9899 

Toll  free:  (800)  526-7919 

UK  &  Europe:  +44  (0)  1959  BW 


OBSERVER 


OBSBRVFR 

IPROBE 


•  OS  SER 


©  2003  Network  Instruments,  LLC.  All  rights  reserved.  Network  Instruments,  Observer,  ErrorTrak  and  the  Network  Instruments  logo  are  trademarks 
or  registered  trademarks  of  Network  Instruments,  LLC.  All  other  trademarks,  registered  or  unregistered,  are  sole  property  of  their  respective  owners. 
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www.smcplus.com/tips 

W  Unique  technical  furniture 
>  solutions  at  your  fingertips 

Total  Solutions  in  >  enterprise  enclosures 

>  network  operations  centers 

>  monitoring  &  management  control 

I  I  If  Log  on  for  free  “Practical  Guide  to  Cooling " 

Technical  Furniture  Solutions 


m  m 


PO  Box  431  •  Conklin ,  NY  13748 
1-800-SMC-PLUS  •  www.smcplus.com 
A  wholly  owned  subsidiary  of  Fisher  Hamilton,  LLC 


Luggage,  Fine  Leather  Goods, 
Gifts,  and  more! 

Tumi,  Hartmann,  Andiamo, 
Samsonite,  Cross 
10%  discount  for  Network 
World  readers 
Enter  code  NWW2004 


Advertising  Supplement 

IT  Careers  with  the  National  Laboratories 


Among  the  intellectual  set,  working  at  one  of  the  country's 
national  laboratories  is  similar  to  "going  to  the  big  show"  for 
a  baseball  player.  It's  the  top  rung  of  a  technical  career,  offering 
opportunity  to  the  best  and  brightest  to  be  involved  in  basic 
research.  From  the  latest  in  energy  research  to  nanotechnology 
development,  the  laboratories  are  using  information  technology  to 
create  what  once  was  considered  science  fiction. 

In  all,  the  national  laboratories  hire  better  than  3,000  people  each 
year  in  primarily  technical  slots.  While  a  goodly  portion  of  these 
jobs  requires  doctoral  studies  in  highly  specific  areas,  there  also  are 
career  entry  opportunities.  And  the  jobs  are  spread  among  the 
projects  and  programs  in  research  that  are  conducted  in  the  labs, 
as  well  as  in  the  computer  information  divisions  that  keep  the  labs 
humming.  The  most  important  aspect  of  applying  for  a  national 
laboratory  position  is  the  need  for  a  security  clearance.  Whether  a 
director  in  the  top  tiers  of  management  or  an  analyst  evaluating 
systems,  you'll  need  to  be  able  to  gain  a  high  ranking  Q  clearance. 

Among  the  ways  of  securing  the  clearance  is  to  take  part  in 
internships  prior  to  graduation.  However,  if  you're  already  a 
seasoned  IT  professional,  it's  crucial  to  get  that  clearance  to 
provide  a  hiring  edge. 

In  general,  the  laboratories  are  managed  by  large  corporations 
such  as  Battelle  or  Lockheed  Martin,  universities  such  as  University 
of  California  or  University  of  Chicago,  for  the  Department  of 
Energy.  Pay  is  highly  competitive,  retention  is  intentionally  high; 
however,  corporate  bonus  structures  follow  a  federal  model  rather 
than  corporate  models. 


Here's  an  overview  of  the  labs  and  their  missions. 

Argonne  National  Laboratory,  Chicago,  IL  Argonne  is  operated 
by  the  University  of  Chicago.  The  staff  conducts  research  in 
physical,  life,  and  environmental  sciences  as  well  as  enhances  and 
advances  energy  resources  and  technology.  More  recently,  this 
Chicago  based  lab  is  working  to  manage  and  solve  environmental 
problems  and  contribute  technologies  to  counter  terrorism  threats. 

Brookhaven  National  Laboratory,  Brookhaven,  NY  Brookhaven 
focuses  on  high  energy  and  nuclear  physics.  Its  technical  staff  has 
openings  for  high-energy  physicists  who  also  have  expertise  in 
C++,  an  example  of  the  highly  specific  talents  being  sought. 

Idaho  National  Engineering  and  Environmental  Laboratory, 

Idaho  Falls,  ID.  This  facility  has  more  than  6,000  scientists, 
engineers  and  employees.  The  lab  undertakes  research  in 
environmental,  energy,  basic  science  and  national  defense.  Bechtel 
operates  the  lab. 

Lawrence  Livermore  National  Laboratory,  Livermore,  CA. 
Livermore  is  operated  by  the  University  of  California.  Its  mission  is 
to  support  national  security,  ensuring  that  the  country's  nuclear 
weapons  are  safe,  secure  and  reliable.  The  staff  includes  an 
Information  Operations  and  Analysis  Division  and  is  among  the 
labs  most  involved  with  cyber  security  issues.  Among  the  system 
demands  being  implemented  is  a  secure  wireless  network 
for  employees. 

Los  Alamos  National  Laboratory,  Los  Alamos,  NM.  Los  Alamos 
makes  headlines  for  more  than  security  breaches  -  this  is  home  to 
space  exploration,  nuclear  research  and  was  founded  as  the 
birthplace  of  the  atom  bomb.  The  lab  is  operated  by  the  University 
of  California.  The  lab  offers  career-starting  positions  in  computer 
science,  physics,  computer  engineering  and  software,  with  an 
emphasis  on  artificial  intelligence,  security  and  large-scale 
computational  sciences. 


National  Energy  Technology  Laboratory,  Pittsburgh,  Tulsa  and 
Morgantown,  WV  NETL  is  the  only  national  lab  that  is  operated 
and  managed  by  the  Department  of  Energy.  Its  role  is  to  conduct 
research  that  advances  fossil  energy  exploration,  supply  and  end 
use  technology.  In  addition,  it  now  includes  environmental 
research  and  technologies. 

National  Renewable  Energy  Lab,  Golden,  CO.  Operated  by 
Midwest  Research  Institute  and  Battelle,  NREL  staff  members  are 
involved  in  the  study  of  renewable  energy  and  energy  efficiency 
research.  While  geologists  and  PhDs  in  statistical  analysis 
dominate  the  staff,  there  also  is  a  strong  information  technology 
organization  with  openings  in  senior  analysis  slots. 

Oak  Ridge  National  Laboratory,  Oak  Ridge,  TN.  Operated  by  the 
University  of  Tennessee,  Knoxville,  Oak  Ridge  is  known  as  the 
"ultimate  scientific  community."  Opportunities  focus  on  ultrascale 
computing,  large-scale  simulations  and  technical  support  for  the 
organization's  energy-based  research 

Pacific  Northwest  National  Laboratory,  Richland  WA  (with 
operations  in  San  Antonio,  TX  and  other  sites).  PNNL  is  a  center  of 
excellence  for  the  national  labs  in  computational  sciences.  Cyber 
security  is  a  major  focus  for  the  staff,  as  is  basic  scientific  research 
and  insertion  of  new  technologies  into  full-scale  operation. 

Sandia  National  Laboratory,  Albuquerque,  NM.  Operated  by 
Lockheed  Martin,  Sandia  has  an  extensive  reach  in  technologies 
and  research,  from  fundamental  research  to  projects  that  support 
national  security,  nuclear  weapons,  nonproliferation  and 
assessment,  military  technology  and  energy.  Among  its  newer 
assignments,  the  lab  is  heavily  involved  with  infrastructure 
assurance  and  homeland  security.  Over  the  past  five  years,  Sandia 
has  hired  400  engineers  and  technicians  annually. 

For  more  information  about  IT  Careers  advertising, 
please  call:  800.762.2977 
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Engineer 

Sr.  Software 
Engineer 

VoIP  Systems 

Design,  develop  and  implement 
complex  network  monitoring  and 
billing  applications  for  global 
Internet  Telephony  voice  and 
data  networks  to  include  routing 
and  DNIS  rollup  tools,  pricing, 
and  the  fine-tuning  and  enhance¬ 
ment  of  the  same  and  automation 
and  integration  of  business  pro¬ 
cesses.  BS  Engineering  with  5 
years  experience  as  Software  En¬ 
gineer  anchor  Programmer/ Ana¬ 
lyst  with  prior  experience  to  in¬ 
clude  development  of  billing 
systems  and  software  applica¬ 
tions  for  VolP-Tetecom  industry. 
Send  resume,  referencing  Job 
Code:  CW11-8,  to:  Teleglobe 
(formerly  ITXC  Corp.),  750  Col¬ 
lege  Road  East,  Princeton,  NJ 
08540.  EOE 


Senior  Consultant  to  perform  Or¬ 
acle,  Siebel,  Ariba  &  other  ERP 
implems.  re.  funcnl.  &  tech  d/zn, 
conversions,  customizn.  of  Ora¬ 
cle  Mfrng.  &  Finance  Applns.  D / 
zn  &  dev.  w /  Oracle  (8.0.5;  8.1.6; 
&  8i),  Oracle  dev.  tools  &  SQL 
Loader,  TOAD,  &  DBA  Studio.  ID 
&  doc.  biz  &  f/nl.  req’s  to  ensure 
d/zn  comply  w/  biz.  f/ns  &  QTC 
processes.  Resp.  for  strategy, 
opns.,  data  conversion,  inter¬ 
faces  &  mapping,  form,  rpts. 
d/zn,  &  training.  Provide  primary 
client  contact  thru  utilizing 
owned  &  alliance  partner  re¬ 
sources.  Pursue  &  secure  new 
partnerships  &  enhance  contract 
scope.  Adhere  to  budgets  & 
schedules.  BS  in  Mech.  or  Ind. 
Engineering  +  11  mo.  exp.  in  job 
duties.  Apply:  A-1,  4278 

Covington  Hwy.,  Decatur,  GA 
30035  w /  proof  of  perm,  w/k 
authzn. 


Software  Applications  Engineer  - 
Design,  develop,  implement  and 
modify  computer  software  appli¬ 
cations  for  use  in  testing  and 
validating  integration  of  software 
and  hardware  systems 
employed  in  FDA  regulated 
medical  devices,  and  conduct 
research  to  validate  systems 
and  report  results,  utilizing 
Labview,  advanced  computer 
simulation  techniques,  computa¬ 
tional  physics,  advanced  ENM, 
and  superconductivity.  Requires 
B.S.  or  equivalent  degree  in 
Computer  Science,  Math, 
Physics,  Engineering,  Chemistry 
(math  based)  or  closely  related 
field,  and  three  years  experi¬ 
ence  developing  software  appli¬ 
cations  utilized  to  test  and  vali¬ 
date  operational  software  and 
hardware  in  medical  devices. 
(Note:  Employer  will  accept  M.S. 
level  degree  in  Computer 
Science,  Math,  Physics, 
Engineering,  Chemistry  (math 
based)  or  closely  related  field  in 
lieu  of  three  years  of  experi¬ 
ence.)  Send  resume  to:  Michelle 
Bakken,  Human  Resources, 
Stereotaxis,  Inc.,  4041  Forest 
Park  Ave.,  St.  Louis,  MO  63108. 


Database  Administrator:  MS 
SQL  Servers/Sybase  D/bases: 
Install,  maintain  MSSQL 
Server(s)  &  Sybase  d/base 
w/data  migration  &  integrity  for 
complex,  high  end  OLTP 
d/base(s)  w/corollary  duties.  Exp 
w/Pathfinder  applic  &  ESPRANT 
tool.  Req:  Bach  of  Engg/Sci: 
Comp  w/relevant  certifications  & 
3  yrs  exp.  Resume  only  (no 
calls/e-mails)  to:  Attn:  CW/SF; 
National  Medical  Health  Card, 
26  Harbor  Park  Dr.,  Port 
Washington,  NY  11050. 


Software  Engineer  (Applica¬ 
tions)  (National  Placement,  two 
(2)  positions).  Develop,  create 
and  modify  computer  applica¬ 
tions  software  for  clients;  ana¬ 
lyze  user  needs  and  provide 
solutions;  design,  architect  cus¬ 
tomized  software  modules  and 
applications  with  the  aim  of  opti¬ 
mizing  operational  efficiency. 
Both  positions  require  a  Bach¬ 
elor’s  Degree  in  Engineering  or 
Computer  Science  and  four 
years  of  related  experience.  Po¬ 
sition  1  requires  a  Java/Oracle 
Programmer  with  at  least  one 
(1)  year  experience  in  digital 
certificates/SL  security  program¬ 
ming.  Skills  must  include:  JAXB, 
HTTP/HTTPS  SSL,  log4j,  Web¬ 
sphere,  WASD,  LDAP,  RDBMS. 
Position  2  requires  a  Mainframe 
Programmer  with  a  minimum  of 
two  (2)  years  working  with  State 
Government  Welfare  &  Unem¬ 
ployment  Insurance  Systems 
that  includes  experience  in  1) 
COBOL,  2)  CICS  3)  JCL  4) 
REXX  5)  DB2  6)  IMS.  $70,500/ 
yr,  40  hrs/wk,  9a  -  6p.  Send 
resumes,  listing  Job  Order  # 
WEB468727  to  Site  Manager, 
Beaver  County  CareerLink, 
2103  Ninth  Avenue,  Beaver 
Falls,  PA  15010-3957. 


Computers  -  Seeking  qualified 
candidates  for  senior  and  mid¬ 
level  IT  professional  positions 
including:  Software  Develop¬ 
ers,  Software  Engineers,  Web 
Administrators,  IT  Analysts  & 
Technical  Consultants.  Quali¬ 
fied  candidates  must  possess 
MS/BS  or  equiv.  and/or  rel. 
work  exp.  Duties  include:  Work 
with  3  of  the  following:  C,  C++, 
Java,  XML,  JSP,  Visual  Basic, 
SQL,  PL/SQL,  Perl,  and  ASP. 
Fwd.  resume  &  references  to: 
ICSA,  Inc.  477  Congress 
Street,  Suite  1002,  Portland, 
ME  04101. 
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SYSTEMS  SOFTWARE  ENGI¬ 
NEER  to  provide  on-site  consul¬ 
tancy  to  analyze,  design,  devel¬ 
op,  implement  and  modify  sys¬ 
tems  software  in  web  architec¬ 
ture  using  Java,  JSP,  Servlets, 
XML,  HTTP.  WebMethods  and 
RDBMS,  Oracle,  D82  and 
WebSohere  in  Unix  and  Wind¬ 
ows  environment.  VBScript. 
XML,  HTTP,  WebMethods  and 
SQL  Server  in  Unix  and 
Windows  environment.  Require: 
Master  in  Computer  Science/ 
Software  Systems  and  four 
years  experience  in  the  job 
offered  or  any  experience  pro¬ 
viding  skills  in  the  described  job 
duties.  40%  travel  to  client  sites 
within  the  United  States  req¬ 
uired.  Salary:  $70,000  per  year, 
40-hours/week,  8:30  am  to  5:30 
pm.  Apply  with  resume  to: 
Human  Resource  Manager,  4C 
Solutions,  Inc.,  1201  7th  Street, 
East  Moline,  IL  61244. 


S/W  Application  Programmers 
to  identify,  solve  problems/inci¬ 
dents  in  SAP  or  Oracle  suite  of 
appls;  analyze,  design,  maintain 
appls  using  either  SAP,  ABAP, 
VB,  NET,  DW  or  Oracle  data¬ 
base,  Oracle  applss  (Financial, 
Manufacturing,  Distribution,  HR, 
Project),  Oracle  Appl  Server 
PL/SQL,  Reports/  Forms  on 
Windows/UNIX  OS:  perform  req 
analysis,  conduct  functional 
testing/debugging:  document, 
maintain  &  update  use  cases. 
Require:  BS  or  foreign  equiv.  in 
CS/Engg.(any  branch)  or  relat¬ 
ed  field  and  2  years  exp  in  IT. 
Travel  involved.  F/T  position. 
Comp,  salary.  Resume  to:  HR, 
Quest  America,  Inc.,  211  East 
Ontario  Street,  Suite  1800, 
Chicago,  IL  60611. 


Software  Engineer  to  analyze, 
design,  develop  and  test  client 
server  enterprise  applications 
using  J2EE,  Java,  C++,  Serv¬ 
lets,  JSP,  XML,  HTML,  CORBA, 
Oracle,  Websphere  on  Windows 
and  UNIX  operating  systems; 
generate  code  from  client  re¬ 
quirements  using  Visio  2000  and 
UML:  evaluate  and  enhance 
performance  of  enterprise  appli¬ 
cation  using  JProbe  Suite  and 
automate  testing  process  using 
WinRunner.  Require  BS  or  for¬ 
eign  equivalent  in  CS/Computer 
Engg  with  3  yrs  of  exp  in  IT. 
Competitive  salary,  F/T.  Res¬ 
umes  to  CyberObject,  3050 
Business  Park  Drive,  Suite  A-1, 
Norcross,  GA  30071. 


IT  Systems  Manager  (Miami 
Beach,  FL)  Plan,  direct  & 
oversee  all  IT  activities  for 
presurgical  info  mgt  co,  incl 
prod  dev,  quality  control  & 
security.  Need  bach  in  comp 
studies,  comp  sci,  IT  or  relat¬ 
ed  field  (or  professionally 
evaluated  equiv  exp)  +  knowl¬ 
edge  of  DB,  OS  &  networkg. 
Send  resume/letter  in  dupl  to 
MMF  Systems,  Inc,  4701 
Meridian  Ave,  Nichol  Bldg, 
Level  E,  Miami  Beach,  FL 
33140. 


Software  Engg.  needed.  Burling¬ 
ton,  M  A  based  company  hs  posi¬ 
tions  avail,  for  qualified  candi¬ 
dates  possessing  MS  or  equiv. 
w /  rel.  work  exp.  Duties  include: 
Design,  develop,  implement  & 
customize  software  applications 
for  various  business  clients  us¬ 
ing  3  of  the  following:  Sun  Solar¬ 
is,  Load  Runner/Wm  Runner, 
Weblogic,  Unix,  C/C++,  VB, 
VC++,  Java,  NET,  EJB,  J2EE, 
ASP.Net/ADO.Net,  DOORS,  Ra¬ 
tional  Rose  and  Visio,  Web¬ 
sphere,  Javaservlets.  Perl,  Cor- 
ba.  HTML/XSL/XML/DHTML, 
COM/DCOM,  PL/SQL  &  Oracle/ 
Sybase  databases.  Mail  resume 
to  Iconsoft  Inc.,  101  Cambridge 
St.,  Suite  305,  Buriington,  MA 
01803. 


Project  Director  in  Mesa,  A Z  to 
direct  &  id.  manageable  onsite/ 
offshore  elearning  &  applica¬ 
tions  development  projects. 
Must  have  MS  deg.,  or  foreign 
equiv.,  in  Eng.,  Comp.  Sc.  or  rel. 
field  &  3  yrs.  proj.  eng.  exper., 
incl.  proj.  design,  implementa¬ 
tion,  planning,  reqts.  analysis  & 
execution,  2  yrs.  exper.  in  soft¬ 
ware  proj.  eng.  for  comp,  or  web 
-based  training  &  proj.  mgmt. 
exper.  Bach,  deg.,  or  foreign 
equiv.,  in  Eng.,  Comp.  Sc.  or  rel. 
field  &  5  yrs.  progressive  proj. 
eng.  exper.,  incl.  proj.  design, 
implementation,  planning,  reqts. 
analysis  &  execution,  plus  2  yrs. 
exper.  software  proj.  eng.  for 
comp,  or  web-based  training  &  1 
yr.  proj.  mgmt.  exper.  can  subst. 
for  MS  deg.  &  required  exper. 
Send  resume  to  Hilary  Gosselin, 
HR  Manager,  Lionbridge  Tech¬ 
nologies,  Inc.,  492  Old  Connec¬ 
ticut  Path,  Framingham,  MA 
01701. 


Information  Technology 

COMPUTER  PROFESSIONALS 

(Multiple  Openings) 

Software  Engineer/Programmer 
Analyst,  Omaha,  NE 

Must  have  bachelors  degree  or 
equivalent  and  experience  (per¬ 
forming  analysis,  design,  devel¬ 
opment,  implementation,  main¬ 
tenance)  in  some  of  the  follow¬ 
ing  skills:  C/C++,  Java,  J2EE, 
Cold  Fusion,  Frame  Works 
(Struts,  Spring  Frame  work,  Hi¬ 
bernate),  Microsoft  Technolo¬ 
gies  (Visual  Basic,  Net,  ASP), 
Mainframe  (REXX,  CLIST.  ISPF, 
TSO,  Skills,  COBOL,  DB2,  JCL), 
Windows  2000,  NT,  Sun  Solaris 
and  Linux.  Must  be  able  to  trav¬ 
el  or  relocate  nationwide.  Attrac¬ 
tive  compensation  package. 
Mail  your  resume  to:  info@ 
solutionsdelivery.com  or  Human 
Re-sources  Director,  Solutions 
De-livery,  Inc.,  4780  South  131 
St,  Suite  14,  Omaha,  NE  68137. 


Oracle  Architect:  Collect 
campaign  mang't  info,  vali¬ 
date,  send  data  to  Pro¬ 
motion  History  database. 
Maintain  eCommerce  mar¬ 
keting  &  IFS.  Reqs  Cam¬ 
paign  Management  &  CDS 
w/in  financial  co;  Req. 
Logical  &  Physical  data¬ 
base  design  using  Erwin 
data  modeler.  Req.  exp 
loading  data  from  a 
Teradata  database  into  an 
Oracle  8i  DB.  Fax  resume 
to  Matt  @  704-334-9694. 


Programmer  Analysts  (2  Posi¬ 
tions)  w /  Bachelors  or  Foreign 
Equivalent  in  Computer  Sci¬ 
ence  or  Engg  or  Math  +  1  yr 
exp  in  using  .NET  Applica¬ 
tions,  VC++,  VB,  C#,  VB.NET, 
SOAP,  MSMQ,  WIN32  APIs, 
ActiveX,  ASP,  Oracle,  SQL 
Server,  Sybase,  Rational 
Rose  &  Clear  Quest  Interface 
Messaging.  Mail  res  to: 
Compu-lnfo,  410  Kingstown 
Rd.,  #2A,  West  Kingston,  Rl 
02892. 


Software  Engineer.  Devel¬ 
op,  modify,  analyze  pro¬ 
grams  &  apps  utilizing 
s/ware  devel  life  cycle. 
Bachelor  in  CS,  Eng'g,  or 
similar,  plus  6  mos  utilizing 
SDLC,  incl  Java,  IBM 
Websphere,  Eclipse,  & 
HTML.  Contact  A.  Hill,  Job 
#2416.07,  Irwin  Mortgage 
Corporation,  10500  Kincaid 
Dr,  Fishers,  IN  46038. 


Paradigm  Infotech  is  looking  for 
programmer/system  analysts, 
DBA,  s/w  engineers.  Candidate 
must  have  BS/MS  with  experi¬ 
ence.  Good  skills  in  C/C++, 
Java,  Oracle,  WebLogic,  VB, 
HTML,  ERP  are  plus.  Traveling 
required  for  some  jobs.  Apply 
iobsl®  naradiaminfotech.com. 

K&M  Softech  is  looking  for  pro¬ 
grammer/system  system,  soft¬ 
ware/project  engineers  or  IT  pro¬ 
fessionals.  Both  entry  &  experi¬ 
enced  levels  needed.  Some 
positions  require  travel.  Skills  in 
C/++,  VB,  Java,  Oracle,  SAP, 
SQL  are  plus.  Please  send 
resumes  to  Recruit/ffikmsoftech 

EOE.  No  call. 

Infogen  is  seeking  IT  profession¬ 
als  to  design  applications  for 
clients  using  Oracle9i,  Weblogic 
/  WebSphere,  C++,  Visual  C++, 
VB,  COM,  STL,  MTS,  MSMQ, 
ASP,  Java,  HTML,  XML,  MTS, 
MSMQ,  ADO,  UML.  Min  BS/MS, 
travel  is  required.  Send  resume 
to  infoiobsiSJinfoaeninc.com. 

.com.  EOE.  No  calls. 

Staffing  Tree,  LLC  has  openings 
for  System  Analyst,  IT  consul¬ 
tants/recruiters.  BS  or  equiva¬ 
lent  required.  Exp.  in  Oracle, 
Java,  C/C++,  SQL  &  IT  place¬ 
ment/marketing  is  strong  plus. 
Travel  required  for  some  posi¬ 
tions.  We  sponsor  green  card. 
Please  contact  debdasffi/staf 

EOE. 

finq-tree.com.  EOE. 

Programmer/Analyst,  Washing¬ 
ton,  DC.  Assist  in  design,  dev.  & 
implementation  of  client/server 
distributed  software  architec¬ 
ture;  Portal,  CRM,  ERP,  B2B,  & 
B2C  software  using  Java,  Java¬ 
Script,  XML/XSL,  HTML,  Oracle 
PL/SQL  &  C++  languages;  JDK, 
J2EE,  XSLT,  SOAP,  Portals 
technologies;  software  such  as 
IBM  WebSphere  Application 
Developer,  Microsoft  Windows 
NT/2000/XP,  Microsoft  SQL 
Server,  Oracle  Database.  Reqd 
B.S.C.S  &  2yrs  exp.  Send 
resume  S.  Arseniev,  V.P.,  Ref.  # 
99 A3,  3307  M  St.,  N.W.,  Ste 
200,  Washington,  DC  20007. 

UNIX  Database  Administrator: 
install,  maintain,  repair  optimize, 
data  storage/integrity/retrieval 
for  Unix  scripting  &  corollaries. 
Plan,  secure  data  transfer  to 
non-Unix  platforms  as  needed. 
Bach  in  Electronics  Engg,  Comp 
Sci  or  related  Feld,  w/Oracle, 
SCO,  Novell,  &  relevant 
Certifications,  &  3  yrs  exp  req'd. 
Resume  only  (no  e-mail/calls): 
Attn:  CW  UDA  Sandata 

Technologies  Inc.,  26  Harbor 
Park  Dr.,  Port  Washington,  NY 
11050. 

Software  Applications  Engineer - 
Assigned  as  IT  Consultant  with 
project  management  responsi¬ 
bility,  to  design,  develop  and 
modify  JSP,  Servlets  and  soft¬ 
ware  for  web  and  general  com¬ 
puter  applications  utilizing  J2EE, 
STRUTS,  Oracle/SQL  and  Java 
SDK.  Multiple  Openings  Avail¬ 
able.  Requires  Bachelors  or 
equivalent-level  degree  in 
Computer  Science,  Computer 
Engineering,  Mathematics  or 
closely  related  field,  and  three 
years  experience  as  Java/J2EE 
Developer  in  Web  Applications. 
Send  resume  to  Rick  Heinlein, 
Ferguson  Consulting,  Inc., 
12444  Powerscourt  Dr.,  Ste. 
235,  St.  Louis,  MO  63131 

Database  Administrator  wanted 
by  consulting  co.  in  IL  to  manage 
co's  Novell  LAN,  assess  &  repair 
comp  problems.  Recommend/ 
implmt  new  s/ware  &  h/ware. 
Utilize  various  comp  prgms  & 
act  as  liaison  btwn  facility  & 
technology  service  vendors. 
Must  have  Bach  degree  or  equiv 
&  1  yr  exp  in  job  offd  or  any 
Prgmr  Analyst  position.  Empl¬ 
oyer  will  accept  combo  of  edu 
&/or  equiv  exp  in  Prgmr/Analyst 
in  lieu  of  Bach  deg.  Respond  to: 
MY  Management,  Mr. 

Mohammed  N.  Yaqoob,  8060 
Lawndale,  Skokie,  IL  60076.  No 
calls. 

Have  a  variety  of 
IT  job  openings? 
post  them  in  our 
jobs  database. 

Become  a 
corporate 
member  and 
post  your 
unlimited  jobs. 

Check  Us  Out 
At: 

www.itcareers.com 

■  1  ■ 

or 

call:  (800)  762-2977 
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Embedded  S/W  Eng.  Design  & 
develop  s/w  protocol  stacks  for 
1394,  802.3  home  network  sys¬ 
tems.  Design  &  implement 
device  drivers  using  C/C++  on 
Linux/Unix/Windows.  Perform 
system  verification  &  evaluation 
&  FPGA/Board  debugging. 
Bach's  degree  in  Comp  Sci, 
Physics  or  Elec  Engrg  reqd  +  1 
yr  s/w  engrg  exp.  Snd  resume  to 
Panasonic  Semiconductor,  550 
South  Winchester  Blvd,  Ste  300, 
San  Jose,  CA  95128,  Attn:  HR, 
DA 


Where  The  Best 

Get  Better! 

Check  us  out  at 
www.itcareers.com 


it  careers 


Prog  Analyst.  Desgn,  devlp  & 
maintain  news  website.  Create 
page  layouts  using  Quark¬ 
XPress,  PageMaker,  CorelDraw, 
Illustrator  &  Photoshop.  Prep 
files  for  printng  by  pulling 
bleeds,  replacing  &  calling  out 
images.  Use  Adobe  Acrobat  & 
Photoshop  for  production  &  out¬ 
put  w/press  specfctn  by  doing 
color  correction,  image  cutting  & 
other  digital  imaging  techniques 
incldng  color  separation  running 
Pitstop  s/ware.  Post/retrieve  e- 
files  to  FTP  server.  Rsrch,  anlyz 
&  troublsht  corrupt  data  utilzng 
Java,  C,  &  C++.  Req  Bach  deg 
or  forgn  equiv  in  Sci,  Comp  Sci, 
Buss  Admin  or  Comm  &  2  yrs 
exp  in  duties  listed.  In  lieu  will 
accept  3  yrs  college  &  2.5  years 
exp  or  any  comb  of  edu,  training 
&/or  exp.  Resume  to:  Director, 
HR,  India  Abroad  Publctns,  43 
W.  24th  St,  7th  Ft,  NY,  NY 
10010.  Fax:  212-627-9503 


Seeking  qualified  applicants  for 
the  following  positions  in  Mem¬ 
phis,  TN:  Senior  Business  Ap¬ 
plication  Analyst.  Act  as  liaison 
between  technical  developers 
and  users/customers.  Require¬ 
ments:  Bachelor's  degree  or 
equivalent*  in  computer  science, 
math,  statistics,  business,  M!S 
or  related  field  plus  5  years  of 
experience  in  analyzing  busi¬ 
ness  systems  and  developing 
technical  automated  solutions. 
Experience  with  airline  schedul¬ 
ing  systems  development  also 
required.  'Master's  degree  in 
appropriate  field  will  offset  2 
years  of  general  experience. 
Submit  resumes  to  Matt  Coplas, 
FedEx  Corporate  Services, 
2955  Republican,  Memphis,  TN 
38118.  EOE  M/F/D/V. 


Senior  Prog/Analysts  to  lead 
teams  to  analyze,  design,  appls 
with  OOAD  methodologies  us¬ 
ing  J2EE,  JDK,  JDBC,  EJB, 
Java,  HTML,  JavaScript,  XML, 
Weblogic,  Websphere,  Oracle, 
MS  SQL  Server  on  Windows 
envir.;  evaluate  user  requests 
for  new  programs  or  complex 
modifications  to  existing  pro¬ 
grams;  test/debug  programs; 
provide  training  to  team  mem¬ 
bers.  Require:  BS  or  foreign 
equiv.  in  CS/Engg  (any  branch) 
&  3  yrs  exp.  in  IT.  Competitive 
salary.  Travel  involved,  F/T.  Re¬ 
sume  to:  HR,  Bahwan  Cybertek 
Technologies,  Inc.,  209  West 
Central  Street,  Ste  312,  Natick, 
MA  01760. 


PROCOM  is  seeking 
Systems  Analysts  to 
implement  SAP  software 
systems  written  in  ABAP 
language  related  to 
finance  modules,  public 
sector  modules,  etc. 
Experienced  applicants 
please  respond  with 
resume  to:  Procom 
Services,  801  Campbell 
Rd,  E„  Suite  110, 
Richardson,  TX  75081 
Attn:  R.  Kviring. 


Project  Engineer  needed  to 
gather  IT  mkt  intelligence;  write 
estimates,  proposals,  etc.  &  pre¬ 
sent  technical  architecture  to 
clients  &  tech  support  for  sales 
teams;  research  &  negotiate 
tech'l  partnerships;  provide  pro¬ 
ject  &  systm  engg  support  for 
projects  using  J2EE,  MS.NET, 
Voice,  Unix,  C++,  Oracle, 
Informix  &  mainframes.  Approx 
40%  Int'l  &  domestic  travel  reqd. 
Resume  to:  Hireme,  Global 
Consultants,  25  Airport  Rd, 
Morristown,  NJ  07960. 


Software  Engineer:  For  propri¬ 
etary  trading  firm,  responsible 
for  source  code  control  &  main¬ 
taining  a  homegrown  configura¬ 
tion  mgmt  system  that  runs  on 
Solaris  &  Windows  platforms; 
develop  tools  &  procedures  to 
facilitate  proper  usage  of  config¬ 
uration  mgmt  system  &  educat¬ 
ing  developers  on  the  usage  of 
those  techniques;  upgrade  3rd 
party  tools  as  needed  to  support 
software  development  dept. 
Reqs:  Bachelors  or  equiv.  in 
Comp  Sci,  Engineering  or  relat¬ 
ed  field.  3  yrs  exp  in  job  offered 
or  3  yrs  software  development 
or  configuration  mgmt  exp.  Exp 
must  incl.  using  Perl  and  C++  on 
Unix  &  Windows  NT  platforms. 
Proficiency  in  Windows,  Shell 
Scripting,  awk,  sed,  Rogue 
Wave  Libraries,  MKS  &  gmake. 
40  hrs/wk.  Send  res.  to  S-1 ,  P.O. 
Box  17182,  Phila.,  PA  19105. 


PROG.  ANALYST  - 
PEOPLESOFT 

Analyze,  dsgn,  dvlp,  modify, 
test,  troubleshoot,  implmnt,  inte¬ 
grate  &  support  high  volume, 
complex  client  web  &  appln- 
based  server  for  enterprise-wide 
financial  mgmt  appln  sys.  soft¬ 
ware  in  a  multi-hardware/soft¬ 
ware  environment.  B.S.  degree 
in  Comp.  Sci.  or  Engnrg  +  2  yrs 
exp.  in  job  offered  or  in  software 
engnrg  w/PeopleSoft  reqd.  Exp. 
must  include  integration  of 
Vantage-One  w/PeopleSoft  fi¬ 
nancial  applns;  Session  Initiali¬ 
zation  Protocol  dsgn;  AIX  ser¬ 
vers  &  DB2  dbase.  High  mobility 
preferred.  40  hrs/wk,  OT  as 
reqd,  8  am  -  5  pm,  $66,730/yr. 
Submit  resume  to:  Manager, 
Butler  county  CareerLink,  Pull¬ 
man  Commerce  Center,  112 
Hollywood  Drive.  Suite  101, 
Butler,  PA  16001-5699.  Please 
refer  to  Job  Order  No.  WEB 
469570. 


Director  Database  Admin:  Des¬ 
ign,  create  &  develop  database 
objects;  administer  applic.  after 
deployment;  configure  servers  & 
clients;  administer  d/b  system; 
develop  proposals  includ.  esti¬ 
mates  for  costs,  time,  &  resourc¬ 
es;  prep,  statistical  reports;  com¬ 
plete  cost/benefit  analyses; 
prep,  project  plans;  perform  pro¬ 
ject  mngmnt.  tasks.  Oracle  exp., 
Performance  &  Tuning  skills, 
Unix  &  SQL  Server  database 
exp.,  Oracle  9i,  Quest  Toad, 
Perl,  Statspack  including  explain 
plans  &  tkprof.  On-Call  Availabil¬ 
ity.  Requires:  MS  Comp.  Sci.  &  1 
yr.  exp.  Comp  Salary.  Send  res¬ 
ume  to:  ELS,  HR  ATT:  Luciana 
Brown,  1052  Mamaroneck  Ave„ 
Mamaroneck,  NY  10543. 


Product  Development  Manager 
(Miami  Beach,  FL)  Direct  & 
coord  R&D  of  new  IT  apps  for 
presurgical  info  mgt  co.  Consult 
w/  users  &  internal  business 
devel  teams  to  assess  IT  needs 
&  sys  requirements.  Design  & 
analyze  new  projs.  Oversee 
app,  develop  &  qual  control. 
Need  bach  in  comp  sci,  IT  or 
related  field  +  substantial  exp. 
Send  resume/letter  in  dupl  to 
MMF  Systems,  Inc,  4701 
Meridian  Ave,  Nichol  Bldg,  Level 
E,  Miami  Beach,  FL  33140. 


Programmer  Analyst  (Multiple 
Positions)  Install,  configure, 
administer,  tune,  and  trou¬ 
bleshoot  Sybase  Replication 
Server  11 .5.1.  &  SQL  servers. 
Upgrade  Sybase  SQL  Ser¬ 
vers  &  perform  problem  deter¬ 
mination.  Tune  Sybase  SQL 
Servers  by  making  the  ser¬ 
vers  use  Async  I/O.  Req: 
Bachelor  in  Comp.  Sci., 
Comp.  Eng.,  or  Electrical  Eng. 
40hrs/wk.  Job/Interview  Site: 
De  Moines,  IA.  Send  resume 
to  Emprise  Consulting  LLC  @ 
200  E.  Sandpointe  Ave,  Suite 
725,  Santa  Ana,  CA-92707. 


Application  Database  Admin¬ 
istrator  (DBA)  in  Bioinformatics, 
applying  expertise  in  Oracle  ver¬ 
sions  7  through  9  &  MySQL  to 
Bioinformatics  applies.  Work 
w/multi-site  project  teams  to 
dsgn  &  create  schemas  to  repre¬ 
sent  biological  data,  applying 
genetics/genomics  knowl.  Dvlp 
PL/SQL  code  to  satisfy  business 
rule  reqmts  for  projects.  Lev¬ 
erage  expertise  w/distributed 
d/bases  to  provide  enterprise- 
wide,  integrated  data  envrmt. 
Implmt  new  Oracle  features  to 
optimize  performance  &  func¬ 
tionality.  Utilize  applic  domain 
expertise  during  release 
processes,  data  curation  & 
transformation  tasks  throughout 
applic  life  cycles.  Implmt  moni¬ 
toring  &  reporting  tasks  to  identi¬ 
fy  &  predict  problems.  Provide 
daily  support  to  Bioinformatics 
d/base  customers.  Use  &  rein¬ 
force  project  mgmt  processes 
from  dvlpmt  to  test  to  produc¬ 
tion.  Be  available  for  scheduled 
off-shift  activities  to  minimize 
production  downtime.  Liaison 
w/systm  DBA  group  to  negotiate 
requests  to  meet  Bioinformatics 
needs  while  conforming  to  stds 
&  procedures.  Req.:  B.S.  or  for¬ 
eign  equiv  in  Comp  Sci,  Engg  or 
a  related  field.  4  yrs  exp  as  an 
Oracle  DBA.  Following  exp, 
which  may  have  been  obtained 
concurrently:  3  yrs  exp  w/distrib¬ 
uted  d/base  architecture,  incl 
instance  configuration  &  query 
execution;  2  yrs  exp  in 
Bioinformatics;  2  yrs  exp  w/ 
genetics  &  genomics  terminolo¬ 
gy  &  meaning;  &  2  yrs  exp  in 
SQL,  PL/SQL,  UNIX  &  MySQL. 
Resume  to:  E.  Franklin, 
GlaxoSmithKline,  5  Moore  Dr, 
Research  Triangle  Park,  NC 
27709 


Embedded  S/W  Engineer. 
Design,  Develop  &  release 
real  time  embedded  s/w. 
Write  s/w  application  &  vali¬ 
dation/verification  test 
specs.  Bach's  deg  in  Comp 
Engrg  or  Elect  Engrg  +  5 
yrs  prog  exp  in  specialty 
field.  Snd  resume  to  PASA, 
776  Highway  74  South, 
Peachtree  City,  GA  30269, 
Attn:  R  Henkel,  NB 


Programmer  Analyst 
needed  w/Bachelors 
degree  or  Foreign 
Equivalent  in  Engg.  or 
Comp.  Scie.  or  math  & 
2  yrs  exp  in  using 
C,C++,  Java,  Oracle, 
Developer  2000,  IIS, 
Tomcat  &  TCP/IP.  Mail 
resumes  to:  R.J. 
Ventures,  Inc.  15  East 
Germantown  Pike, 
Norristown,  PA  19401. 


Seeking  qualified  applicants  for 
the  following  positions  in  Orlan¬ 
do,  FL:  Senior  Programmer  An¬ 
alyst.  Formulate/define  function¬ 
al  requirements  and  documenta¬ 
tion  based  on  accepted  user  cri¬ 
teria.  Requirements:  Bachelor's 
degree  or  equivalent*  in  comput¬ 
er  science,  MIS,  engineering  or 
related  field  plus  5  years  of  ex¬ 
perience  in  systems/applications 
development.  Experience  with 
C,  Sybase  and  Unix  Shell  Script¬ 
ing  also  required.  'Master's  de¬ 
gree  in  appropriate  field  will  off¬ 
set  2  years  of  general  experi¬ 
ence.  Submit  resumes  to  Carl 
Wilhelm,  FedEx  Corporate  Ser¬ 
vices,  1900  Summit  Tower  Blvd., 
Suite  1400,  Orlando,  FL  32810. 
EOE  M/F/DA/. 


Quality  Assurance  Engineer  to 
develop  testing  methods  &  pro¬ 
cedures  to  ensure  product  & 
process  quality  for  company¬ 
wide  processing  &  on  multiple 
tasks/projects.  Will  generate 
comprehensive  test  plans,  test 
scenarios  &  test  cases  based  on 
business  requirements;  perform 
system  acceptance  testing  & 
user  acceptance  testing  to 
ensure  that  info  systems  &  ser¬ 
vices  meet  internal  quality  stan¬ 
dards  &  end-user  requirements; 
participate  in  formal  reviews  of 
application  designs,  business 
and  functional  requirements; 
write  &  reproduce  accurate  soft¬ 
ware  problem  reports;  develop 
automated  test  scripts  utilizing 
commercial  tools  &  will  be  re¬ 
sponsible  for  integration,  regres¬ 
sion  &  functional  testing  of  soft¬ 
ware  releases.  Will  identify  & 
resolve  technical  issues  &  pro¬ 
vide  technical  supervision.  Re¬ 
quires  Bachelor’s  or  equiv  in 
Comp  Sci,  Engineering,  Math  or 
Physics  plus  3  yrs  experience  in 
Job  Offered  OR  3  yrs  exper 
developing  &  testing  client/serv¬ 
er  and  web  applications.  Candi¬ 
date  must  also  possess  demon¬ 
strated  expertise  in  the  follow¬ 
ing:  developing  automated  re¬ 
gression  test  plans  &  cases 
using  WinRunner,  Test  Director 
and  AstraQuick  Test;  writing 
database  SQL  queries,  data  ver¬ 
ification  in  Informix/Oracle  on 
both  UNIX  &  Windows  O/S;  and 
in  performing  data  driven  testing 
&  verifying  dynamic  objects 
using  TSL.  Salary  $55,600/yr; 
Mon-Fri,  9AM-5PM.  Applicants 
must  submit  2  copies  of  resume 
to  Ginny  Burton  #4269,  Dept,  for 
Employment  Services,  275  East 
Main  St.,  2-WA,  Frankfort,  KY 
40621.  Equal  Opportunity  Em¬ 
ployer.  Only  persons  with  autho¬ 
rization  to  work  permanently  in 
the  U.S.  need  to  apply. 


IT  Managers  needed.  Seeking 
candidates  w /  BS  or  equiv  &  rel¬ 
evant  work  exp.  Part  of  rel  work 
exp  must  include  2  yrs  working 
w /  VB  &  ASP  &  1  year  working 
w/  SQL  Server.  Exp.  can  be 
simultaneous.  Duties  include: 
Manage  IT  department,  develop 
IT  strategies  to  support  business 
objectives,  formulate  IT  road¬ 
map  to  integrate  &  align  busi¬ 
ness  processes.  Mail  resume  & 
refs,  to:  Human  Resources,  a2z, 
Inc.,  10320  Little  Patuxent 
Parkway,  Suite  201,  Columbia, 
MD  21044-3343. 


Programmer  Analysts  (mul¬ 
tiple  positions)  sought  by 
NJ-based  computer  s/w 
consultancy  firm  for  job 
location  in  Portland.  ME. 
Must  have  Bach  or  foreign 
equiv  in  Comp  Sci,  Engg  or 
equiv  &  1  yr  relevant  exp. 
Respond  to:  HR  Dept., 
Software  Galaxy  Systems, 
LLC,  480  Congress  Street, 
Suite  205,  Portland,  ME 
04101. 


Programmer  Analysts 

Analyze,  architect,  develop,  inte¬ 
grate,  and  test  multi-tier  Enter¬ 
prise  Applications,  System  Inte¬ 
gration  and  Implementation  us¬ 
ing  VC++,  Java,  XML,  Web 
Logic,  TCP/IP  programming, 
COM+,  SOAP,  WebServices- 
NET,  Databases  such  as 
SQLServer,  and  Oracle.  Req. 
Bachelor's  degree  in  Comp. 
Science  or  Engg.  and  2  yrs  of 
exp.  Send  resume  to  HR. 
eTransX  Inc.  5214  Maryland 
Way,  Suite  100,  Brentwood,  TN 
37027  or  E-mail:  info@ 
etransx.com. 
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Network  World  Events  and  Executive 
Forums  produces  educational  events 
and  executive  forums  worldwide, 
including  our  one  day  Technology  Tours, 
customized  on-site  training,  and  executive  forums  such  as  DEMO®, 
DEMOmobile®,  and  VORTEX,  as  well  as  the  DEMOIetter  and  VORTEX 
Digest  newsletters.  For  complete  information  on  our  current  seminar 
offerings,  call  us  at  800-643-4668  or  go  to  www.nwfusion.com/events. 


Publicize  your  press  coverage  in 
Network  World  by  ordering  reprints  of 
your  editorial  mentions.  Reprints 
make  great  marketing  materials  and 
are  available  in  quantities  of  500  and 
up.  To  order,  contact  Reprint 
Management  Services  at  (717)  399- 
1900  x129  or  E-mail:  mshober@reprintbuyer.com. 
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Telling  a  pick  from  a  plug 

Here  is  a  sampling  of  lock  picking  terms  defined  in  the 
book  Steel  Bolt  Hacking  by  Douglas  Chick. 

BowrThe  handle  of  a  key. 

Jiggler:  A  thin  piece  of  metal  cut  in  the  general  shape  of  a  key. 
Like  the  name  suggests,  you  jiggle  a  jiggler  in  the  key  in  hopes  of 
opening  the  lock. 

Picking  tool:  Any  tool  that  can  be  used  to  manipulate  the  tumblers 
of  a  lock  and  open  it. 

Plug:The  part  of  the  lock  that  you  put  the  key  into  and  turn  to 
operate  the  lock. 

Shear  line:The  dividing  line  between  the  plug  and  the  shell  that 
when  free  of  pins  is  allowed  to  turn. 


ShelkThe  outer  part  of  the  lock  that  surrounds  the  plug. 

Tumbler:  A  moveable  obstruction  of  varying  size  and  configuration 
in  a  lock  that  makes  direct  contact  with  the  key  or  another  tumbler 
and  prevents  an  incorrect  key  or  torque  device  from  activating  the 
lock  or  other  mechanism.  Commonly  known  as  pins  or  wafers  (disks). 


1  www.nwfusion.com 

Locks 

continued  from  page  1 

Certified  locksmiths  say  they 
are  wary  of  the  ethical  ramifica¬ 
tions  of  the  general  public  learn¬ 
ing  to  pick  locks,  though  they 
aren’t  surprised  that  IT  pros  are 
gravitating  toward  the  skill. 

“Hackers  by  their  original  defi¬ 
nition  are  problem  solvers,  so  it 
is  a  logical  evolution,”  says  David 
Lowell,  associate  executive  direc¬ 
tor  for  the  Associated  Locksmiths 
of  America  trade  group. 

Others,  such  as  attorney  and 
author  Marc  Tobias,  say  it’s  hard 

Pick  of  the  litter 

Lock  pickers  say  they 
sometimes  follow 
street-sweeping 
machines  to  collect  the 
metal  bristles  that 
shake  loose.  They  then 
make  lock  picks  out  of 
the  bristles  by  bending 
them  in  a  certain  way. 

these  days  for  computer  and  net¬ 
work  professionals  not  to  think 
about  physical  security  —  in¬ 
cluding  sophisticated  master-key 
systems  that  feature  unique  keys 
for  each  lock  but  a  master  key 
that  can  open  all  locks  —  given 
the  measures  most  organizations 
take  to  protect  their  equipment. 

“IT  people  get  into  physical 
security  by  default.Their  comput¬ 
ers,  networks  and  servers  are  not 
sitting  in  the  middle  of  nowhere,” 
says  Tobias,  who  created  a  stir 
earlier  this  year  by  calling  atten¬ 
tion  to  flaws  in  certain  laptop 
computer  locks.'They  are  locked 
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in  rooms  that  are  generally  [part 
of  a  master-key  system] .  If  I  can 
get  access  to  your  server,  1  can 
do  a  lot  of  damage.” 

Chick’s  no-frills  book  is  one 
many  instructional  lock-picking 
references  available,  many  of 
them  online.These  include  the 
seminal  Guide  to  Lock  Picking, 
which  also  is  known  as  the  MIT 
Guide  to  Lock  Picking,  although 
the  hacker  community  from  that 
school  has  pleaded  for  those  dis¬ 
tributing  and  posting  the  manual 
to  take  “MIT”  out  of  the  title 
because  they  say  their  intention 
was  never  to  have  the  guide  dis¬ 
tributed  widely.  Rather,  they  say  it 
was  meant  to  aid  those  carrying 
on  the  time-honored  tradition  of 
slipping  into  and  exploring  tun¬ 
nels  and  roofs  on  campus. 

Network  administrator  Grant 
Siebrecht,  who  works  for  an  ISP 
in  western  Iowa,  says  he  recently 
got  turned  on  to  lock  picking 
after  coming  across  a  Web  site 
called  lockpickingl01.com.“I 
bent  some  paper  clips,  took  the 
clip  off  a  mechanical  pencil  and 
proceeded  to  pick  the  lock  on 
my  filing  cabinet.  1  was  hooked,” 
he  wrote  on  the  site. 

A  network  administrator  and 
lock-picking  enthusiast  who  goes 
by  the  online  name  RenderMan 
says  he  has  participated  in  each 
of  the  first  two  lock-picking  con¬ 
tests  held  at  DefCon,  an  annual 
hackers’ convention  in  Las  Vegas. 
In  this  year’s  contest  he  popped 
a  doorknob  lock  in  12  seconds 
to  move  on  to  the  second  round, 
but  the  48  seconds  it  took  him  to 
solve  a  deadbolt  lock  in  that 
round  proved  not  nearly  fast 
enough.“An  overlap  with  one  of 
[DefCon’s]  war-driving  contests 
left  me  fatigued  and  my  hands 
shaking  going  into  the  second 
round,”  he  says. 
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Lock  picking  is  a  mix  of  techni¬ 
cal  know-how  and  feel. “Lock 
picking  is  accomplished  by  the 
manipulation  of  the  lock  by 
using  your  touch  and  listening  to 
the  bounce  of  pins  and  some¬ 
times  the  smell  of  oil  to  the  turn 
of  the  plug,”  Chick  writes  in  his 
book.  He  says  it  can  take  him  a 
few  minutes  to  undo  a  box  of 
locks  one  day  then  “struggle  until 
my  fingers  hurt”  another  day 

Chick,  who  regularly  dishes  out 
his  thoughts  about  the  IT  indus¬ 
try  on  his  Web  site  —  www. 
thenetworkadministrator.com  — 
says  he  timed  the  book’s  publica¬ 
tion  to  coincide  with  this  past 
summer’s  DefCon  12  convention. 

But  the  popularity  of  lock  pick¬ 
ing  as  a  hobby  among  computer 
pros  is  hard  to  measure  because 
those  involved  tend  to  keep 
quiet  about  it.They  point  to  a 
patchwork  of  laws  concerning 
the  shipment  and  possession  of 
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lock  picks.  (One  Network  World 
contributor  says  French  authori¬ 
ties  recently  confiscated  his  lock 
picks  in  Guadeloupe.) 

Lock-picking  hobbyists  are 
more  open  outside  the  U.S.  in 
countries  such  as  Germany  and 
the  Netherlands,  where  clubs 
dubbed  Sportenthusiasts  of 
Lockpicking  and  TOOOL  even 
have  their  own  Web  sites.  (The 
group’s  Web  site  says  the  three 
O’s  stand  for  practicing  Over  and 
Over  and  Over.) 

“Locksport  events  in  the  Ameri¬ 
cas  are  still  really  at  the  grass¬ 
roots  stage,  and  little  official 
management  is  done  at  this 
time,” says  a  Canadian  locksmith 
who  goes  by  the  handle  Varjeal 
at  lockpickingl01.com,  where  he 
is  a  forum  moderator. 

However,  the  overseas  groups 
are  starting  to  make  their  pres¬ 
ence  felt  in  the  U.S.  Eric  Mich¬ 
aud,  a  junior  at  Ramapo  College 
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in  Mahwah,N.J.,and  his  friend 
Sandy  Clark,  a  Linux  systems 
administrator  at  Princeton  Uni¬ 
versity  say  they  expect  to  have  a 
TOOOL  spin-off  club  up  and  run¬ 
ning  in  the  next  month  or  two. 
Among  those  interested  in  join¬ 
ing  are  a  pianist  and  a  dentist, 
Michaud  says. 

“We  need  to  protect  ourselves. 
We  need  to  make  sure  people 
don’t  join  for  the  wrong  reasons,” 
says  Michaud,  who  has  been 
prepping  for  this  past  weekend’s 
“Dutch  Open,”  an  annual  lock¬ 
picking  event  in  the  Netherlands. 

In  addition  to  treading  carefully 
near  law  enforcement,  computer- 
savvy  lock  pickers  are  learning  to 
co-exist  with  traditional  lock¬ 
smiths. 

“Locksmiths  in  North  America 
take  a  pretty  dim  view  of”  the 
newcomers,  attorney  Tobias  says. 
“Locksmiths  still  seem  to  think 
that  everything  is  a  secret.” 

Marty  Arnold,  a  certified  master 
locksmith,  says  the  Greater  Phila¬ 
delphia  Locksmith  Association 
limited  the  lock-picking  contest 
held  last  month  at  its  annual 
conference  to  locksmiths.“For 
security  purposes  we  try  to  keep 
the  art  of  lock  picking  from  the 
general  public,”  he  says. 

Chick  rewrote  his  book  with 
the  help  of  a  couple  of  lock¬ 
smiths,  including  Varjeal,  after 
taking  heat  for  an  initial  version 
that  locksmiths  denigrated  as 
inaccurate  and  for  bastardizing 
the  terminology. 

“They  believe  . . .  that  lock  picks 
should  remain  in  the  hands  of 
locksmiths  and  computer  people 
should  just  stick  to  Internet  porn.  I 
don’t  agree,  of  course,”  he  says.  ■ 
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serializing  of  information.  “It’s  like  having  a  conver¬ 
sation  through  two  interpreters,”  he  says. 

Work  in  progress 

Users  agree  SOAs  don’t  get  built  overnight. 

Moreland  says  over  the  past  20  years  The  Hartford 
has  used  some  form  of  what  is  today  described  as  an 
SOA.The  retooling  of  the  SEMC1  application  simply 
formalized  the  idea.  Now  The  Hartford  uses  its  SOA 
to  support  other  services,  such  as  document  pro¬ 
cessing.  It  also  has  used  the  SOA  to  create  a  service 
around  an  existing  application  for  providing  an 
agent  profile,  known  as  a  producer  profile,  that’s  used 
to  determine  access  to  systems. 

The  original  idea  was  to  authenticate  to  the  exist¬ 
ing  profile  application  and  request  the  data,  but  it 
was  a  cumbersome  integration  that  would  have 
taken  months  of  development.  Instead,  The 
Hartford  is  using  its  SOA  platform  to  handle  agent 


authentication. 

“We  were  able  to  do  it  in  a  half-day  on  our  services 
platform,”  Moreland  says. 

Moreland  says  the  exercise  highlights  the  benefits 
of  The  Hartford’s  SOA,  including  reduced  develop¬ 
ment  time  and  maintenance  costs,  because  the 
company  doesn’t  have  multiple  versions  of  the  same 
technology 

“That  is  what  the  SOA  is  all  about.  You  start  to 
abstract  away  the  technical  details.  When  you  get 
business  function  reuse,  that  is  where  the  business 
value  is,”  he  says. 

While  the  hard  dollar  savings  are  difficult  to  quan¬ 
tify  Moreland  says  his  staff  now  is  doing  twice  as 
much  to  foster  IT  within  the  company. 

Another  benefit  is  a  reduced  reliance  on  any  sin¬ 
gle  vendor.“One  of  the  comments  we  make  to  ven¬ 
dors  in  this  SOA  world  is  ‘the  easier  it  is  to  replace 
you, the  more  we  like  you,’” Moreland  says.“We  want 
to  have  a  lot  of  flexibility  to  pull  in  a  new  vendor 
without  having  a  major  18-month  application 
rework.’’® 
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Virtualization  will  own  the  enterprise 


he  week  before  last  I  attended 
theVMworld  2004  conference 
in  San  Diego. This  event,  hosted 
by  VMware,  surprised  me.  I  got  to  the 
venue  a  little  later  than  I  had  plan¬ 
ned  and  went  into  the  general  ses¬ 
sion  expecting  to  see  maybe  300  or 
400  people.There  were  about  1,600. 

Now,  I’ve  been  a  big  fan  of  VMware  for  some  time 
because  it  makes  it  possible  to  run  multiple  copies  of 
multiple  operating  systems  on  one  machine.  Indeed, 
there  was  a  series  of  Gearhead  columns  on  the  prod¬ 
uct  (wwwnwfusion.com,  DocFmder:  4558),  which 
you  could  characterize  as  wildly  enthusiastic. 

VMware  was  gaining  significant  interest  when  EMC 
acquired  the  company  last  January  but  little  did  I 
realize  just  how  much  of  an  impact  VMware  had 
made  until  I  ran  into  these  1 ,600  fans. 

Moreover  the  attendees  weren’t,  as  one  vendor  put 
it, “just  from  community  colleges”;  they  were  from 
Fortune-size  companies,  and  about  20%  came  from 
overseas.  Add  to  that  about  30  partners,  such  as  Dell, 
HP  and  IBM,  and  about  250  channel  partners,  and 
you  can  see  something  profound  is  happening. 

I  talked  to  several  attendees,  and  it  appeared  two 
main  issues  were  driving  their  interest.The  first  was 
server  consolidation.  Some  customers  have  man¬ 
aged  to  reduce  their  server  population  by  one-third. 

In  most  enterprise  environments  server  loadings 
are  frequently  far  below  platform  capabilities. 


Running  multiple  virtual  machines  lets  you  take  two 
or  three  servers  running  at  15%  or  20%  utilization 
and  aggregate  them  onto  one  server  that  now  runs 
at  maybe  60%.  Even  better,  you  can  move  virtual 
machines  from  one  physical  server  to  another  to 
readjust  physical  machine  loadings. 

Add  to  that  the  amount  of  rack  space  regained,  the 
decreased  power  and  cooling  required,  the  reduced 
amount  of  hardware  to  maintain,  and  the  fact  that 
you  can  preserve  the  politics  of  server  ownership 
within  the  organization,  and  you  come  up  with  a 
very  compelling  argument  for  VMware. 

Then  there  is  server  management.  Because  of  the 
architecture  of  VMware,  activities  such  as  provision¬ 
ing,  recovering  and  maintaining  servers  is  vastly  sim¬ 
plified.  In  short,  virtual  machine  technology  creates  a 
more  cost-effective  enterprise  infrastructure  in  just 
about  every  important  category  of  service. 

Among  the  partners  at  the  event  I  saw  a  number  of 
products  that  got  me  way  overexcited:  Softricity’s 
SoftGrid  is  what  I’ve  wanted  for  years.  It  insulates 
Windows  from  applications  and  vice  versa,  and  pro¬ 
vides  for  applications  the  same  vastly  improved  pro¬ 
visioning  and  management  that  VMware  provides  for 
operating  systems.The  combination  ofVMware  and 
SoftGrid  is  amazing. 

Another  product  that  impressed  me  was  Aurema. 
The  company’s  product,  ARMTech,  provides  work¬ 
load  and  performance  management  to  physical  and 
virtual  servers  by  controlling  application  scheduling 


through  what  it  refers  to  as  “business-based  resource 
policy  enforcement  and  provisioning.”This  allows 
not  only  for  optimizing  server  workload  but  also  pro¬ 
vides  resource  monitoring  for  bill-back  accounting. 

Expect  to  see  both  of  these  products  reviewed  in 
future  Gearhead  columns. 

Also  in  attendance  was  BMC  Software.The  compa¬ 
ny  is  engineering  its  Patrol  network  management  sys¬ 
tems  to  work  with  virtual  machines.The  products  — 
Patrol  Performance  Assurance  for  Virtual  Servers  and 
Patrol  for  Virtual  Servers  —  will  provide  capacity  per¬ 
formance  and  dynamic  workload  management  for 
VMware  systems. 

So  what  are  the  implications  of  this  explosion  of 
virtualization? 

Well,  hardware  vendors  will  find  it  increasingly 
difficult  to  differentiate  their  products  because  the 
performance  of  similar  gear  will  only  vary  by  a 
couple  of  percent.  Moreover,  as  most  servers  are 
built  from  commodity  components,  the  cost  basis 
for  a  server  is  more  or  less  constant  between  ven¬ 
dors,  and  virtualization  removes  your  reliance  on 
platform  features  that  are  supposed  to  add  value. 

So  tinless  you  need  ultra-high-reliability  systems, 
you’re  going  to  go  for  generic  server  hardware.  In 
other  words,  hardware  margins  for  enterprise  sales 
will  be  razor  thin.  As  if  they  weren’t  already 

More  implications  next  week.  Your  conclusions  to 
backspin@gibbs.  com. 
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News,  insights,  opinions  and  oddities 


By  Paul  McNamara 

Tugging  at  IE’s  pant  leg 

Bill  Gates  will  hold  a  yard  sale  to  help 
make  ends  meet  before  his  company's 
Internet  Explorer  is  displaced  as  the  world's  dominant  Web  browser. 

But  that  doesn't  mean  there's  nothing  meaningful  in  the  browser  usage  trend 
data  released  recently  by  WebSideStory.  According  to  the  Web  analytics  firm, 
users  of  the  Moziila  and  pre-release  Firefox  open  source  browsers  grew  to  6%  of 
the  U.S.  online  populace  as  of  Oct.  29,  up  from  3.5%  only  four  months  earlier. 

That's  a  solid  jump  from  a  modest  starting  point,  yes,  and  Microsoft  still  com¬ 
mands  a  92.9%  market  share.  But  the  increased  open  source  use  comes  almost 
entirely  out  of  IE’s  hide  and  presages  nothing  but  good  things  for  the  official 
release  this  week  of  Firefox  1.0,  the  Moziila  project’s  almost  universally  acclaimed 
entry  into  the  world  of  alternative  browsers. 

"When  we  saw  Firefox  making  a  dent,  and  when  we  saw  IE  starting  to  lose  a  lit¬ 
tle  market  share  at  the  start  of  the  summer,  we  didn’t  know  if  this  was  going  to  be 
a  six-  or  eight-week  thing  and  then  all  would  go  back  to  normal,”  says  Geoff 
Johnston,  an  analyst  at  WebSideStory,  which  has  tracked  browser  trends  since 
1998.  “What's  interesting  is  that  here  we  are  five  months  [into  the  movement]  and 
not  only  have  things  not  flattened  but  they  have  continually  and  steadily  grown. 
Firefox  is  gaining  market  share  largely  at  the  expense  of  IE.  Now  it’s  not  just 
curiosity  seekers;  now  people  are  changing  and  staying.” 

No  one  is  suggesting  that  what  we  are  witnessing  is  the  opening  salvo  in  a 
BrowserWar  II  that  this  time  will  find  Microsoft  on  the  losing  end.  But  Johnston 
does  see  forces  at  work  that  recall  IE’s  late-’90s  knockout  of  Netscape.  (It  was 
oniy  six  years  ago  that  Netscape  ruled  the  roost.) 

"What  really  knocked  them  out  in  the  end  was  that  IE  5.0  was  just  better  than 


Netscape  4.0,"  Johnston  says.  Early  adopters  are  reaching  the  same  conclusion 
about  Firefox,  he  adds.  "You're  getting  the  impression  that  people  are  not  just  try¬ 
ing  it  but  staying  with  it.  Apparently  people  like  it  well  enough  not  to  switch  back." 

Firefox  has  been  downloaded  more  than  7.5  million  times,  according  to  the  ticker 
at  www.spreadfirefox.com.  Hoopla  around  the  official  launch  of  Firefox  1.0  has 
included  a  fund-raising  effort  to  publish  full-page  advertisements  in  The  New 
York  Times  and  plans  for  some  280  launch  parties  worldwide. 

“Honestly,  it’s  not  a  mainstream  thing  yet,”  Johnston  says.  “These  are  the  cut- 
ting-edge  folks  who  have  tried  it  and  love  it.  But  that  doesn't  mean  it's  not  signifi¬ 
cant.  What  it  says  is  there  is  a  market  for  an  alternative.” 

Whether  that  market  extends  to  the  corporate  level  is  another  question,  since 
the  inhibitors  to  moving  off  of  IE  are  as  numerous  and  well  known  as  that  brows¬ 
er’s  security  shortcomings.  (My  Network  World  colleague  John  Fontana  examines 
these  issues  thoroughly  in  a  story  you  can  find  at  www.nwfusion.com,  DocFinder: 
4560.) 

“There's  always  a  chance,"  Johnston  says  of  Firefox  possibly  making  workplace 
inroads.  “Maybe  in  smaller  corporations  first  because  there’s  less  bureaucracy  to 
get  past.The  beauty  of  that  is  that  IT  guys  [who  are  already  trying  Firefox]  are 
usually  the  cutting  edge  anyway." 

The  Moziila  project  has  stated  that  it  would  like  to  grab  a  10%  market  share  by 
the  end  of  next  year.  While  that  appears  to  be  a  tall  order,  it  would  have  seemed 
downright  unthinkable  not  that  long  ago. 

“It’s  going  to  have  to  be  a  grass-roots,  word-of-mouth,  groundswell  sort  of 
thing,”  Johnston  says. 

Maybe  the  kind  of  thing  that  starts  off  at  3.5%  and  hops  up  to  a  solid  6%  in  the 
course  of  a  season  change? 

Have  any  word-of-mouth  of  your  own  to  offer?  The  address  is  buzz@nww.com. 
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Spam  and  virus  protection  at  an  affordable  price. 


•  No  per  user  license  fees 
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